Re: [GNAP] Gathering Consent and Authorization
Denis <denis.ietf@free.fr> Fri, 09 April 2021 15:11 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CBBB3A2466 for <txauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.626
X-Spam-Level:
X-Spam-Status: No, score=0.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z6Pb3T4btdn for <txauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:11:54 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp06.smtpout.orange.fr [80.12.242.128]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C7293A2464 for <txauth@ietf.org>; Fri, 9 Apr 2021 08:11:54 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.9.133]) by mwinf5d86 with ME id qfBq2400B2sDAeJ03fBqkH; Fri, 09 Apr 2021 17:11:51 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 09 Apr 2021 17:11:51 +0200
X-ME-IP: 90.26.9.133
To: Justin Richer <jricher@mit.edu>, GNAP Mailing List <txauth@ietf.org>
References: <40D2CDB6-9EF7-42B1-8926-CDDC3523A5AE@mit.edu>
From: Denis <denis.ietf@free.fr>
Message-ID: <db00be0b-3559-7738-d6d7-2699770a05cf@free.fr>
Date: Fri, 09 Apr 2021 17:11:49 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <40D2CDB6-9EF7-42B1-8926-CDDC3523A5AE@mit.edu>
Content-Type: multipart/alternative; boundary="------------970A4ABACA4024EB1D4016D7"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/cPHkZZSkQ7m0dGzOOsjEbIp_GBQ>
Subject: Re: [GNAP] Gathering Consent and Authorization
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 15:11:57 -0000
Hi Justin,
"Gathering Consent" is not solely related with a section that would be
called “Interaction at the AS”.
For authorizing a method on an object, the RS (or more precisely the RO
controlling that object) is wishing to obtain some privileges
(i.e. attributes types and /or rights ) inside an access token that may
be issued by *one AS among several ASs*.
The privileges a RS is wishing to obtain should be proportionate to the
method that is being requested on the object. This means that
in the first access to a RS, the client should advertise both the method
and the object on which the method applies and then in its response,
the RS should indicate which choices are possible and the reason(s)
behind each choice ("User Notice").
In general, it is possible to decompose the end-user choice into three
consecutive choices:
a) a first choice for selecting the AS,
b) a second choice for selecting different privileges *types *(i.e.
attributes types and /or rights types) for the selected AS,
c) a third choice selecting different privileges *values *for the
selected privileges types (i.e. attributes type values and /or
rights types values)
If a RS is only trusting one AS, the first choice becomes a YES or NO
question. The second choice must be based on information provided by the RS,
since only the RS is knowing the rational to request some set of
privileges. In such a case , the dialogue with the end-user can be done
either
*directly at the RS* or *locally at the client* using information
provided by the RS. The third choice must be done at the AS.
If a RS is trusting more than one AS, the first and the second choices
must be done before contacting an AS (see above), while the third choice
must be done at the AS.
Denis
PS. I have not yet read through the new text.
> We’ve recently had a lot of good discussion about the nature and role
> of the AS within GNAP, and the editors stated that we would be working
> on new text to incorporate this discussion. With that in mind, I
> wanted to bring everyone’s attention to a PR that makes some big
> changes to the core spec, though mostly in the description of how
> components work and less with the normative syntax of the protocol
> itself.
>
> https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/242
> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/242>
>
> This rewrites the section that is currently “Interaction at the AS” to
> better describe the wider range of possibilities for the authorization
> process. Note that this PR hasn’t been tagged as “pending merge” by
> the editors yet, which means there’s not a review deadline in place
> yet, but since it’s such a big change we’d like to get it in somewhat
> soon. Please go read through the new text and help improve it!
>
> Thank you,
> — Justin
>
- [GNAP] Gathering Consent and Authorization Justin Richer
- Re: [GNAP] Gathering Consent and Authorization Denis
- Re: [GNAP] Gathering Consent and Authorization Fabien Imbault