Re: [GNAP] Terminology proposal
Fabien Imbault <fabien.imbault@gmail.com> Mon, 14 December 2020 08:01 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9863A0A42 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 00:01:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EcNbrAZeA0vr for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 00:01:27 -0800 (PST)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 834E73A0A05 for <txauth@ietf.org>; Mon, 14 Dec 2020 00:01:27 -0800 (PST)
Received: by mail-il1-x12b.google.com with SMTP id q1so15006196ilt.6 for <txauth@ietf.org>; Mon, 14 Dec 2020 00:01:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fhcHjIu/rkh21/W4ozTXWuQTNH+tTubCCozGePWUgIA=; b=h2B1zPxC/MDLG5SMnKchcRR8HiZVNoFN2zVzWhNk5uJyu8o5q2U3RHCoJfWOxJkXsU T7CFk6H9JSwX+kjOxnoe2O3fnEN6cP4PKsvKcukHuzj2IfRnI6+clcVIoNU2XwylzElN l21LVlPFqb4rui4PF+0pWTKQAJ8G38WtiC1J0zzrsG44g6xmjWeeaM39bWyOKlteFVAp Evv8v88MylhULtYUWYoUJMTK4iDmq8c19RGpzjYotR880H5QDzFqn/Rs4Zojgxl7Z9DE tz6gZBqApYY07NDUh3IGyDpGDCWytkIOenTLdwihY5WS6Wi4HMa4tXaOi49O0pKaKwdI Hhdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fhcHjIu/rkh21/W4ozTXWuQTNH+tTubCCozGePWUgIA=; b=i6rMcyot3xMqQisCE8oQfKFNccRK1KIu35Jc5eYw3nx9tDIbZuX5szTOg2JCGQs1z1 k+AYH6apS+ewpYDa2N5Jb9JnBKr8VtGW6WgzuEvwrgj4WfD1AFv8HiqUl2G79YyDIohe SmnYgoL89NhcQfYvwqEyGWxaHG1m5/+g+sQACzJktOO1qw3M/Z6rxgk016YtNA8q3n0Y dvSYhLH31O1s1uJOd8bahaun6bD3qMR6+Wfcn94XqDi+ylCFKPgSM97JZ+8OIRI8z+UR eWi8eXHZdTzGg6gxk5Xgi50Qt/1Qjycali73QugZ+b68hvwKZ1v6sq7Gl9wZrXFfDOJR ymgg==
X-Gm-Message-State: AOAM532OmgMd7bdZVDEiWhS2RPOz0/+XKJXG9TT/MECrJa+3uu3jajG/ lHREhWj2Tp/pxankzoUkj+amLKbGVQyskcqu4/g=
X-Google-Smtp-Source: ABdhPJxobr3Hdbdtb8Wi8M7ulUBVAKJeb7MAUd+D5ONEq/4JxOP9XSEakQLJddzcYzHthfhLGtPhXTTI+mZyuUwI2m4=
X-Received: by 2002:a92:aa4c:: with SMTP id j73mr32538920ili.123.1607932886449; Mon, 14 Dec 2020 00:01:26 -0800 (PST)
MIME-Version: 1.0
References: <CAM8feuT0ex-Jm1=pfyPN6DX_X2gcB8wuGQ3UJMtbO=3kxTmR8Q@mail.gmail.com> <26b4f31f-921c-6f9e-57d9-e378406e4cb6@free.fr> <CAM8feuT0YToOAnyXDXPdKgt4BxUjmTwx+y+9k+0Tpm-pdZR0nQ@mail.gmail.com> <95C942E8-5261-4DA3-9764-27767B6E6BF1@gmail.com> <CAM8feuRqyD+ej7Wh1vi4_pdBtcTV+k3_Au0JLFwa1VE=ODgPmA@mail.gmail.com> <CAM8feuTqtDO+VnqPY0o0u4SV-G=cH4ECSFtSNvi6qkauMNjoTQ@mail.gmail.com> <13422918-A279-45FD-97B7-E02D74534960@gmail.com> <CAM8feuSxJkX_M4+GNUD_k_mJTffpyVbtiwUKaAw02x-zQZQiJA@mail.gmail.com> <CAK2Cwb5WkMYKqnraXAQD6WcJ5eJAon4PVhA8rbPOzYh6fQwP-w@mail.gmail.com>
In-Reply-To: <CAK2Cwb5WkMYKqnraXAQD6WcJ5eJAon4PVhA8rbPOzYh6fQwP-w@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Mon, 14 Dec 2020 09:01:15 +0100
Message-ID: <CAM8feuSCuJSp6Y-_48j1ciwwkjwy8=wdDhURTek7BgDEBYqgkg@mail.gmail.com>
To: Tom Jones <thomasclinganjones@gmail.com>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, Denis <denis.ietf@free.fr>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008501ce05b6680c00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/WLBpqq643vosEk3yDrxWBqu_lqs>
Subject: Re: [GNAP] Terminology proposal
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 08:01:33 -0000
Thanks Tom. Yes, we now have Yaron's definition, minus the typically. On Sun, Dec 13, 2020 at 11:34 PM Tom Jones <thomasclinganjones@gmail.com> wrote: > from the point of view of the GNAP std I would drop typically. If it meets > the std then it MUST get an access token. It is the AS that is optional (at > least i think that is where GNAP is headed.) > Peace ..tom > > > On Sun, Dec 13, 2020 at 11:21 AM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > >> Hi Yaron, >> >> Stylistic comments are very important too. And at some point we'll need a >> review from native english speakers in the group (I'm sure Justin and Aaron >> will be of great help here). >> >> Just wondering: what do you mean by "typically"? (ideally I'd rather have >> a definition which is not dependent on use case). >> >> As soon as we land on something, I'll update the wiki. >> >> Fabien >> >> >> >> On Sun, Dec 13, 2020 at 8:12 PM Yaron Sheffer <yaronf.ietf@gmail.com> >> wrote: >> >>> It’s purely stylistic, but I find the definition of RS (“server that >>> denies operations”) a bit funny. How about: >>> >>> >>> Resource Server (RS) >>> >>> - Definition: server that provides operations on protected >>> resources; such operations typically require that the client provide valid >>> access tokens issued by an AS >>> >>> Thanks, >>> >>> Yaron >>> >>> >>> >>> *From: *Fabien Imbault <fabien.imbault@gmail.com> >>> *Date: *Sunday, December 13, 2020 at 13:20 >>> *To: *Yaron Sheffer <yaronf.ietf@gmail.com> >>> *Cc: *Denis <denis.ietf@free.fr>, GNAP Mailing List <txauth@ietf.org> >>> *Subject: *Re: [GNAP] Terminology proposal >>> >>> >>> >>> Hello everyone, >>> >>> >>> >>> We're at the end of the 2 week period, and so I integrated the various >>> feedbacks : >>> >>> >>> >>> a) from Yaron's feedback, removed new term "IS" and update issue >>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/133 to handle >>> the proposal here >>> >>> b) integrated Tom's feedback regarding the RO (and moved to access >>> token) >>> >>> c) definitions follow an ISO style as suggested by Denis, which we took >>> as a starting point (but I made the modifications I felt were necessary) >>> >>> >>> >>> I modified the definitions, notes and examples as a consequence. You'll >>> also find a summary of discussions for each term, so that we can keep track >>> of them too. >>> >>> >>> >>> My biggest question is : what should we use as our main vocabulary >>> between privilege/rights/attribute? I tried to clarify, please let me know >>> what you think. The general idea is that we grant privileges that are >>> delivered under the form of access tokens (which contain rights and/or >>> attributes). >>> >>> Regarding whether access tokens should be opaque or not, I suggest to >>> remove that from the definition and handle that in issue >>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/145 >>> >>> >>> >>> All has been consolidated on the wiki too >>> https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology so >>> that we have a clearer view of where we stand. >>> >>> >>> >>> Please comment further on the list if you have comments, I'll update if >>> necessary (and refer to the mailing list url in the comment of the wiki >>> update, from now on). Then editors will review the proposal. >>> >>> Here is a copy of >>> https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology#latest-discussion-update >>> . >>> >>> >>> Latest discussion update >>> >>> Here we consolidate the latest proposal(s) from the group. We also >>> include the discussion items (individual feedbacks). >>> Authorization Server (AS) >>> >>> - Definition: server that grants privileges to a particular end-user >>> and that provides them to a client in the form of an access token >>> >>> Feedbacks / discussion / questions : >>> >>> - Suggested "privilege" definition (that we would probably add as an >>> additional sub-entry): "A privilege is the right to perform an operation >>> (or action) on a Resource." See also other def >>> <https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67568310/Privilege+Dictionary+Entry> >>> - Note that we don't include claims in the definition (cf OIDC/SSI >>> integration), but since we talk about a "particular end-user" it is assumed >>> somehow >>> - Denis suggested we used "rights and attributes" instead of >>> privileges. [FI] However i don't think one can really speak about granting >>> attributes, except indirectly (ABAC). See access token for more on that, >>> where we can be more specific. >>> - Do we allow cases such as distributing the AS on a mobile? (in >>> this case we're at the limit of what we call a server) >>> >>> Client >>> >>> - Definition: application used by an end-user to interact with an AS >>> or a RS >>> - Note: this specification differentiates between a specific >>> instance (the client instance, identified by its public key) and the >>> software running the instance (the client software). For some kinds of >>> client software, there could be many instances of a single piece of client >>> software. >>> - Example: a client can be a mobile application, a web application, >>> etc. >>> >>> Feedbacks / discussion : >>> >>> - Replaces previously proposed RC, we wouldn't provide a short name. >>> - Keep OAuth2 term, but we clarify it >>> - Further discussion on Client instance >>> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/132> >>> >>> Resource Server (RS) >>> >>> - Definition: server that denies operations on protected resources, >>> unless the client provides valid access tokens issued by an AS >>> >>> Feedbacks / discussion : >>> >>> - Denis suggests to make explicit that we could have several ASs - >>> "issued by one or more ASs" (also we'd need a convention on how to denote >>> plural, e.g. ASs). Not exactly sure right now of the multiple issuance >>> would work, so needs to be clarified. Also not sure if that's even >>> necessary (do we lack in generality if we keep the singular?) >>> >>> Resource Owner (RO) >>> >>> - Definition: physical person acting on its own or representing an >>> organization, that may grant privileges on resources he has authority upon >>> - Note: the act of granting privileges may be manual (i.e. through >>> an interaction) or automatic (i.e. through predefined rules). >>> >>> Feedbacks / discussion >>> >>> - As some point we suggested "The RO may decide to remove its >>> consent at any time." Tom provided useful feedback >>> <https://mailarchive.ietf.org/arch/msg/txauth/n_vDfQGaUO6v56nbXyG5lpDda-M/> on >>> that. Moved to access token where it fits more naturally. >>> >>> End-user >>> >>> - Definition: physical person that operates with the client software >>> - Note: that physical person may or may not be the same entity as >>> the RO >>> >>> Access token >>> >>> - Definition: digitally signed data that contains specific rights >>> and/or attributes >>> - Note 1: the access token can be issued to an end-user (usually >>> requiring his authentication) and subsequently refreshed. The AS usually >>> provides a method for the RO to revoke the privileges at any point in time. >>> - Note 2: an access token may act as a capability (i.e. bearer >>> token) or require an additional authentication by binding to a key (i.e. >>> bound token) >>> >>> Feedbacks / discussion >>> >>> - Would require the subdefinitions right: ability for an end-user to >>> perform a given operation (or action) on a resource (or object) under the >>> control of a RS / attribute: property related to an end-user. >>> - Note 2 is here in relationship with PR 129 >>> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129> >>> >>> Grant >>> >>> - Definition (verb): to permit, as a privilege given to an end-user >>> to exercise some rights and/or assert attributes during a specific duration >>> - Definition (noun): the act of granting >>> >>> Key >>> >>> - Definition: public cryptographic binding a request to the holder >>> of a private key, used by the protocol entities (AS, RS, client instance, >>> bound token, etc.) to identify themselves. >>> - Note: a key can be rotated or revoked by its holder. The protocol >>> supports the update of the key information. >>> >>> Feedbacks / discussion >>> >>> - Denis thinks the term "key" is well understood and doesn't need to >>> be defined. Yet, I tend to believe we'd gain to keep it. First the generic >>> term "key" may be many things : symmetric/asymmetric, public/private, etc. >>> It's also useful to explain its use in the protocol >>> >>> Resource >>> >>> - Definition: protected API served by a RS and accessed by a client, >>> if and only if a valid access token is provided >>> >>> >>> >>> On Fri, Dec 11, 2020 at 6:05 PM Fabien Imbault <fabien.imbault@gmail.com> >>> wrote: >>> >>> Hi Yaron, >>> >>> >>> >>> Yes I highlighted that this was a new term. We can deal with it as a >>> separate issue indeed. >>> >>> >>> >>> Best >>> >>> Fabien >>> >>> >>> >>> On Fri, Dec 11, 2020 at 6:02 PM Yaron Sheffer <yaronf.ietf@gmail.com> >>> wrote: >>> >>> Hi Fabien, >>> >>> >>> >>> Yes, we definitely need to reach closure on terminology, thank you for >>> driving this discussion! >>> >>> >>> >>> One process comment: unless I’m missing something, the Interact (or >>> Interaction) Server is not mentioned in the current draft. I suggest we do >>> not introduce new functional components or new behaviors as part of the >>> terminology discussion. Specifically, if the IS is useful, let’s reach >>> consensus on that separately. Then we can add it into the Terminology >>> section. >>> >>> >>> >>> Thanks, >>> >>> Yaron >>> >>> >>> >>> *From: *TXAuth <txauth-bounces@ietf.org> on behalf of Fabien Imbault < >>> fabien.imbault@gmail.com> >>> *Date: *Friday, December 11, 2020 at 14:31 >>> *To: *Denis <denis.ietf@free.fr> >>> *Cc: *GNAP Mailing List <txauth@ietf.org> >>> *Subject: *Re: [GNAP] Terminology proposal >>> >>> >>> >>> Hi Denis, >>> >>> >>> >>> Thanks for your detailed feedback. My comments are embedded into your >>> message. Again those comments are my own, and we'll need to converge to >>> some consensus beyond what I say here. My main open question is really >>> about the RO being optional. Could you explain? >>> >>> >>> >>> Fabien >>> >>> >>> >>> On Fri, Dec 11, 2020 at 12:08 PM Denis <denis.ietf@free.fr> wrote: >>> >>> This is a global response to the definitions proposal. >>> >>> >>> TerminologyI propose to adopt the way ISO defines how to write the >>> definitions.It is a *single sentence* that may be substituted to the >>> wording being defined in the context of a sentence that uses that >>> definition. >>> Since this single sentence can be substituted to the wording, there is >>> not point at the end of that sentence. The sentence does not >>> have a "a" or "the" in front of it. >>> >>> >>> >>> [FI] In the first version, I was mostly trying to not get too far away >>> from the current text. But yes that's a good idea, it gives a more >>> formal rule, which has been proven to work. >>> >>> >>> >>> If more information is useful to understand the wording, it is placed in >>> one or more notes afterwards. >>> >>> >>> >>> Note: The ISO rules for drafting definitions are in the ISO/IEC >>> Directives, Part 2 (edition 2018): >>> >>> 16.5.6 Definitions >>> >>> The definition shall be written in such a form that it can replace the >>> term in its context. It shall not start with an article (“the”, “a”) nor >>> end with a full stop. >>> A definition shall not take the form of, or contain, a requirement. >>> >>> Only one definition per terminological entry is allowed. If a term is >>> used to define more than one concept, a separate terminological entry shall >>> be created >>> for each concept and the domain shall be included in angle brackets >>> before the definition. >>> >>> Circular definitions, which repeat the term being defined, are not >>> allowed. >>> >>> Comments are inserted between the lines. >>> >>> >>> >>> Hello everyone, >>> >>> >>> >>> As an editor : a quick reminder that terminology issues will be >>> discussed in the coming weeks, and we're expecting your inputs right now >>> (according to the process previously sent on the mailing list). >>> >>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/29 >>> >>> https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology >>> >>> >>> >>> The rest of this message is a proposal written in my own name, and >>> doesn't involve discussions with the editors/chairs who might have >>> different opinions. >>> Authorization Server (AS) >>> >>> Manages the granting of privileges to a third-party client instance. If >>> the RO consents to at least a part of what is requested, the AS issues an >>> access token to the client. >>> >>> *My questions: * >>> >>> *- was else do we issue? (e.g. id claims, payment info, etc.) We could >>> have more than access tokens, but “directed information” is not clear. I >>> removed that for now.* >>> >>> *- there might potentially be several AS, currently we don’t reflect >>> that anywhere. If would leave that as an open item, depending on what we >>> end up doing in the spec* >>> >>> I am not in favour of this definition: A RO as defined later: >>> "authorizes the request to access a protected resource from the RS to the >>> client". >>> This does not mean in any way that a RO has necessarily a direct >>> relationship with one or more ASs. [FI] indeed we could remove that >>> limitation, to have a more general definition >>> Using the ISO style for definitions, I propose: >>> >>> Authorization Server (AS): server that grants rights and/or attributes >>> to a particular end-user and that provides them to a client in the form of >>> an access token >>> >>> Since this definition is using the words "rights" and "attributes", >>> these two terms need to be defined as well. >>> >>> right: ability for an end-user to perform a given operation on an object >>> under the control of a RS >>> >>> attribute: property related to an end-user >>> >>> >>> >>> [FI] I like your proposal in general. There might be some discussions on >>> the details. I don't think it makes sense to grant "attributes". >>> >>> Some explanations: a "right" is able to support a capability scheme. An >>> "attribute" is able to support an ACL scheme. >>> >>> These two schemes are able to support "discretionary access control" >>> where the end-user has a "need-to-know". >>> >>> However, some attributes are also able to support what was called in >>> the past "mandatory access control"; for example, >>> >>> if the end-user is cleared to "top-secret / marketing strategy". >>> >>> >>> >>> Interact Server (IS) - this is a new proposed term >>> >>> Manages the front-end interaction with the RO, in order to gather its >>> consent. Depending on the deployment model and the privacy requirements, >>> the IS may be a component of the AS, or may be distinct and managed by >>> another party. >>> >>> Example : an IS usually involves a web interface accessed by RO through >>> a web browser. >>> >>> Note : an IS is not always required, especially if the access is granted >>> through automated policies. >>> >>> Using the ISO style for definitions, I propose: >>> >>> >>> >>> Interact*ion* Server (IS) >>> >>> component from the AS or server interfacing with an AS that manages the >>> interactions with a RO, in order to gather its authorizationNote : >>> since the RO is an optional component, the IS is also an optional component. >>> >>> >>> >>> [FI] indeed IS is optional. note for myself when looking at RO : why is >>> RO optional ? >>> >>> Client Requests privileges from the AS, and uses access tokens at the >>> RS. This specification differentiates between a specific instance (the >>> client instance, identified by its unique public key) >>> and the software running the instance (the client software). . For some >>> kinds of client software, there could be many instances of a single piece >>> of client software. >>> The AS determines which policies apply to a given client instance, >>> including what it can request and on whose behalf. >>> >>> Some comments: The above text is stating: "(the client instance, >>> identified by its unique public key)". >>> A client instance may use a public key, but that key is not necessarily >>> unique, in particular when there are multiple ASs. >>> >>> [FI] yes, although when possible I would still consider a better >>> practice to expose a key to a specific AS and not to the entire set of >>> available ASs. >>> >>> Example : a client can be a mobile application or a web application (the >>> client software) that requires authorizations from the RO to retrieve >>> content from various protected APIs. The client instance may for instance >>> refer to a specific version of that client software. >>> >>> *See on-going discussion : >>> https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/132 >>> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/132> (client >>> instance). * >>> >>> Using the ISO style for definitions, I propose: >>> >>> Client: application used by an end-user to interact with an AS or a RS >>> >>> Note: a client can be a mobile application or a web application [FI] >>> for me those are just examples, because there could me more (ex IoT device) >>> >>> [FI] you remove the entire discussion on client instance / client >>> software, is that on purpose because you think it's not useful/right, or is >>> it because of something else? (maybe add your comment of the related >>> issue) >>> >>> Resource Server (RS) >>> >>> Accepts valid access tokens from the client issued by the AS and serves >>> protected resources on behalf of the RO. There could be multiple RSs >>> protected by the AS that the client may call. >>> >>> Example : a RS is often composed of protected APIs that can be consumed >>> by authorized client software. >>> >>> One comment: a RO is not necessarily involved. [FI] a bit hard to >>> imagine, there's some kind of owner. Could you be more explicit? >>> Using the ISO style for definitions, I propose: >>> >>> Resource Server (RS): server that accepts valid access tokens from >>> clients issued by one or more ASs which are used to grant or deny some >>> requested operations >>> >>> Note: a RS is often composed of protected APIs that can be consumed by >>> clients. >>> >>> >>> >>> Resource Owner (RO) >>> >>> Authorizes the request to access a protected resource from the RS to the >>> client. The RO may decide to remove its consent at any time. >>> >>> Note : the RO may be a physical person or may represent an organization. >>> >>> >>> >>> Two comments: In order to avoid confusion with the end-user consent, the >>> word " authorization" is being used instead of "consent". [FI] ok >>> >>> It should be said that the RO is an optional component. [FI] why? Using >>> the ISO style for definitions, I propose: >>> >>> Resource Owner (RO): physical person acting on its own or representing >>> an organization that authorizes to clients operations on protected >>> resources from a RS >>> >>> Note: The RO is an optional component that may interact either with one >>> RS or with one or more ASs ,e.g. using an IS. >>> >>> End-user – this was previously Requesting Party RQ >>> >>> A physical person that operates and interacts with the client software. >>> >>> Note : the end-user may or may not be the same entity as the RO. >>> >>> The Note is slightly incorrect. the *physical person* may or may not be >>> the same entity as the RO. [FI] I didn't understand your comment >>> Using the ISO style for definitions, I propose: >>> >>> End-user : physical person that operates and interacts with the client >>> software >>> >>> Note : that physical person may or may not be the same entity as the >>> RO. >>> >>> >>> >>> Access Token >>> >>> A set of privileges delegated to the client instance for a specific >>> end-user. An access token is created by the AS, consumed and verified by >>> the RS, and issued to and carried by the client's end-user on behalf of the >>> RO. The contents and format of the access token are opaque to the client. >>> >>> Example : JWT is a commonly used format. >>> >>> Note 1 : an access token generally has a limited duration, after which >>> it may be refreshed at a regular interval. >>> >>> Note 2 : an access token may be revoked at any time by the RO. >>> >>> Note 3 : an access token may act as a capability or require an >>> additional authentication by binding to a key >>> >>> A fundamental point: the third sentence from the definition states: "The >>> contents and format of the access token are opaque to the client". >>> >>> [FI] I'll check your other thread dedicated to that issue >>> >>> See my other email sent today about "RS-Token Introspection or RC-Token >>> Introspection" where I conclude: >>> >>> For end-users caring about their privacy (or for systems willing >>> to protect the user's privacy), access tokens should not be considered >>> to be opaque to RCs nor to RSs and ASs should not support Token >>> Introspection, whether it is RS-Token Introspection or RC-Token >>> Introspection. >>> >>> The example and the other Notes above should be removed. If needed they >>> should be placed in the main body of the document. >>> >>> Using the ISO style for definitions, I propose: >>> >>> Access Token : digitally signed data issued by an Authorization Server >>> (AS) and consumed by a Resource Server (RS) >>> that contains rights and/or attributes granted >>> to a particular end-user >>> >>> >>> >>> Grant >>> >>> The process by which the client requests and is given delegated access >>> to the RS by the AS through the authority of the RO. >>> >>> Using the ISO style for definitions, I propose: >>> >>> Grant: permission given to end-user to use a subset of his rights and/or >>> his attributes at a specific time and for a specific duration >>> >>> >>> >>> Key >>> >>> A public cryptographic binding a request to the holder of a private key. >>> Access tokens and client instances can be associated with specific keys at >>> a point in time. >>> >>> Note : a key can be rotated or revoked by its holder. The protocol >>> supports the update of the key information. >>> >>> "key" is a general term that is well understood and that does not need >>> to be defined. [FI] I really wouldn't bet on that. We can reuse an >>> existing definition but it is a central piece so we need to be explicit >>> >>> The "definitions" section is not intended to explain what can be done >>> with the term that is being defined. [FI] ok we can work on that >>> Until the word "key" is qualified using one or more other terms, this >>> definition should be removed. >>> >>> >>> >>> Resource >>> >>> A protected API served by the RS and accessed by the client if and only >>> if access has been granted. Access to this resource is delegated by the RO >>> as part of the grant process. >>> >>> The second sentence of the definition is not in accordance with the ISO >>> style or definitions and furthermore this second sentence should be removed >>> since a RO is an optional element. >>> >>> >>> Using the ISO style for definitions, I propose: >>> >>> Resource: protected API served by a RS and accessed by a client, if and >>> only if access is granted by an access token >>> >>> Subject Information >>> >>> Information about a subject (usually a RO) that is returned directly to >>> the client from the AS. >>> >>> Note : this information needs to be unique. >>> >>> >>> >>> This definition exhibits several problems: >>> >>> (1) The term "subject" is not defined. >>> >>> (2) The information that is returned is for an end-user, i.e. not for "(usually >>> a RO)". >>> >>> (3) The Note states : "this information needs to be unique". Does it >>> mean unique for the AS ? globally unique ? >>> >>> This definition should be revisited. [FI] I agree (I myself had many >>> questions here) >>> >>> Denis >>> >>> >>> >>> *My questions : * >>> >>> *- probably we’d need to define subject* >>> >>> *Subject : >>> https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67600697/Subject+Dictionary+Entry >>> <https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67600697/Subject+Dictionary+Entry>* >>> >>> *- might be useful to clarify the relationship to what identity >>> providers do * >>> >>> >>> >>> >>> >>> Cheers >>> >>> Fabien >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> TXAuth mailing list >>> TXAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/txauth >>> >>> -- TXAuth mailing list TXAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/txauth >>> >>> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> >
- [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Denis
- Re: [GNAP] Terminology proposal Fabien Imbault
- [GNAP] Open question: Why is a RO optional ? Denis
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Tom Jones
- Re: [GNAP] Terminology proposal Fabien Imbault