Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary
Francis Pouatcha <fpo@adorsys.de> Wed, 22 July 2020 21:12 UTC
Return-Path: <fpo@adorsys.de>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0B73A09A8 for <txauth@ietfa.amsl.com>; Wed, 22 Jul 2020 14:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhpeMgdWcugU for <txauth@ietfa.amsl.com>; Wed, 22 Jul 2020 14:12:51 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F18CD3A09A6 for <txauth@ietf.org>; Wed, 22 Jul 2020 14:12:50 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id c80so3143726wme.0 for <txauth@ietf.org>; Wed, 22 Jul 2020 14:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0GiYFlp7qNEZT8VJk0edYx3f5+cDd8lgo7/I46xJeh0=; b=KU+shBZsq1NegrYpaB4TXoPITCV4FshzAtGjhUo0GkWNmqMirD04bWBhQUMVOmworY D1M5n7ZkyjmKW13yZhvBwBB8h/v+nShhxpIi1toSiwB3GcoBUmiASFvqCej4bA5o8jCK /dniBWtwsE9N1z1XHKVseLU5sh+0kawuxPFy0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0GiYFlp7qNEZT8VJk0edYx3f5+cDd8lgo7/I46xJeh0=; b=QeK+L5b2KZJ7e+PjlxU9gCmdMkCmOL/IBi1x/HIlEX+GWdp0c2jJzD9y2WSXVn3yvk E5F0shajMnuH3Nhsar4ZzklVbmP+QkSZAqtXgvIT5sp3X7O4NNEikl+P30cUjgxO1LER DgAV7/6iOwQBrGI1/SodCYpLfWkAX5KmevqpFzEupAFwMRgK5bOKB3PtGP8bG84McUA9 5th8NUPr0D8++EsmbkiHSTtjDTTqD7lcqrM9bEpzV4Vips6/0UoS5ea+C/Zx3220g/Cy uUCOn8hUc22tRyRwACTu1WlE2/rbotsoTscs2F1aaxlxwAQkEIqgARiHrbRhMk+sY9i5 69Rw==
X-Gm-Message-State: AOAM531mad9Tqts5qb4WwrgAjISi4HOxwAE/N2tObh5gUU0OjUU7w2ch MZoi4cxtzv3SDtwL2phG86/XPc+GF3j7dEpbHz2AIQ==
X-Google-Smtp-Source: ABdhPJy/8xzeb8iI880YCoBe5GhBzonMw/5ooiJpdwrDEDgYAxqTfd9+GcWUH1pXinRd95usU4g18+m5IkZjIp/+IrI=
X-Received: by 2002:a7b:c952:: with SMTP id i18mr1347539wml.65.1595452369280; Wed, 22 Jul 2020 14:12:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyO2C1E3Sg58CrSVT81t0T3iCTY87tdAx+a8d2A+cNa3nA@mail.gmail.com> <CAD9ie-vMzepgmaP-jUunKSo-chWrGpB230TWgJq7u8Yt-afDxA@mail.gmail.com> <CAOW4vyObyZC7USUqsW_qdDV9Hcpvg9OHKmM1yMEjSUvmjx0UZQ@mail.gmail.com> <CAD9ie-sWn41XDiwyFMcTgV3a8MMESXqf36fNJcTaSYDKwU+LPg@mail.gmail.com> <CAOW4vyNzGG95eNf6RRLf_jgHoQDMJHz8kPF10EENeaAq9vkrVQ@mail.gmail.com> <CAD9ie-vPDMPM8CRid169WsssD0r3dWNqoNCDJcgrxEs+MfvtjQ@mail.gmail.com> <CAOW4vyOjpL3Qoy02uV1dxc+wYir+yh0wWKiaV93OqzRXtk_Sxg@mail.gmail.com> <CAOW4vyMgW=3-nrgODnhj-BweWhJgW3WzTJDhSAwdnHFdho6msg@mail.gmail.com> <CAM8feuTLGXN50QCMi-08xj60APQvMcqEZjDw4-gm2sWoM0NqBg@mail.gmail.com>
In-Reply-To: <CAM8feuTLGXN50QCMi-08xj60APQvMcqEZjDw4-gm2sWoM0NqBg@mail.gmail.com>
From: Francis Pouatcha <fpo@adorsys.de>
Date: Wed, 22 Jul 2020 17:12:33 -0400
Message-ID: <CAOW4vyMjgYt=pOLAgZyTux9EqTOt6Qsgs63wL9R7hXe3BRiLsg@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: txauth@ietf.org, Tom Jones <thomasclinganjones@gmail.com>, Denis <denis.ietf@free.fr>, Justin Richer <jricher@mit.edu>, Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ba353705ab0e3336"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/hkc_N06VCeQVlu3HEU-fNpLI89U>
Subject: Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 21:12:54 -0000
Hello Fabian, On Wed, Jul 22, 2020 at 4:26 AM Fabien Imbault <fabien.imbault@gmail.com> wrote: > Hi all, > > Thanks for that work. > It would make things easier if we could group the definitions which can be > generic (without any knowledge of the GNAP architecture) from the terms > which are dependent on the protocol flow itself. > > For terminology, the way it is done in ISO standards is quite interesting > and we probably could reuse some ideas. The general rule of thumb is to > reuse definitions when that's possible and re-define only when necessary. > See for instance > https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en > You'll find : > - a definition > - potentially some notes (here we can explain how it differs from an > already existing term used in a different context) and some examples > - related reference (in many cases, we don't even need to reinvent > something, as we just need to be consistent with terms already used in the > community) > Good idea. > Generic definitions : > - resource, claim, consent, grant, authorization -> seems to me these are > generic. Why does it matter in the definition that we know which party is > doing it? > Relationship to parties is essential for the understanding of the GNAP protocol. - in most cases, those definitions shouldn't be different from other WGs, > or else we should explain why that is. > - party : if we refer to roles, we need to define that too. > party is defined to help delimitate User, Client, RS, GS, RO from other terms. > - grant : I don't get what you mean by "material form of an RO consent". > What is material? > I meant: a Grant is a [materialization/database representation/...] of an RO consent. GS stores the RO Consent in the form of a Grant. > Specific definitions : > - User, User-Agent, Client, RO, GS : all these are specific to the way the > protocol is specified, so it does make sense to relate to the parties doing > it. > Ok. - But even then, we need to check whether that specificity is required. I'm > not sure I agree with your definition of User, though. In 99% of use cases, > a user is just... a user, i.e. a natural person. Why do we need to make > this definition so convoluted? > Term User is introduced by Dick (see: https://tools.ietf.org/html/draft-hardt-xauth-protocol-11#section-1.1). We am trying to distance it from the RO. As this confusion leads to a lot of misunderstandings in discussions in the group. The User-Agent definition seems enough to convey the idea that interactions > can be done through real users or things. > Not so sure. Precision helps reduce misunderstandings in discussions we are conducting on GNAP. Best regards. /Francis > > Cheers > > Fabien > > > On Wed, Jul 22, 2020 at 2:33 AM Francis Pouatcha <fpo= > 40adorsys.de@dmarc.ietf.org> wrote: > >> Hello Dick, Justin, Tom, Denis, >> >> Below is a new version of the dictionary includings comments from >> different threads. Change log includes: >> - avoided the expression "owns a resource" in favor of the expression >> "controls a resource" >> - included the clarification "resource access" and "claim release" >> - included a clarification User vs. RO >> - tried to clarify the word User-Agent >> - added the definition of a Claim >> >> Terms >> ===== >> >> Party - represents a role in the GNAP protocol flow. A party can take the >> form of a web service, an application installed on the user device and >> acting autonomously or the form of a natural person (resp... of an >> autonomous device) using an application to interact with other parties. >> >> Resource - a piece of data or web service >> - controlled by a Resource Owner (RO), >> - held and guarded by a Resource Server (RS) and >> - serviced by the RS to a Client, if the Client provides a valid >> Authorization. >> >> Claim - a piece of data >> - controlled by a Resource Owner (RO), >> - held and guarded by the Grant Server (GS) and >> - released by the GS to a Client as part of an Authorization. >> >> Resource Owner (RO) - the party that >> - controls a Resource, >> - relies on the services the GS to manage access to that Resource, >> - relies on the services of a RS to hold the Resource and guard >> access to that Resource, >> - controls a Claim, >> - relies on the services the GS to release that Claim to a Client. >> >> Resource Server (RS) - the party that >> - holds a resource and guards access to that resource on behalf of >> the RO, >> - services the Resource to the requesting Client, provided the >> Client presents a valid Authorization. >> The RS is generally deployed as a web service. >> >> Grant Server (GS) - the party that >> - manages access to a Resource on behalf of the RO, >> - holds Claims and releases them when consented by the RO. >> For each Resource access request, the GS might request the Consent >> of the RO and produce a corresponding Authorization that is given to the >> requesting Client. >> >> Consent - act of an RO : >> - approving access to a Resource, means approval that a Resource he >> controls can be given to the Client by the RS. >> - approving release of a Claim, means approval that a Claim he >> controls can be included by the GS in an Authorization to be returned to >> the Client. >> >> Grant - material form of an RO Consent. In order not to interact with the >> RO on each Resource access request, the GS might store the RO Consent in >> the form of a Grant for reuse. >> >> Authorization - externalized form of a Grant as known to the GS and the >> RS. >> - The GS converts a Grant into an Authorization for use in a >> Resource access request. >> - The RS evaluates an Authorization to decide on whether or not to >> release the Resource to the Client. >> >> Client - the party that provides the infrastructure used by a User to >> access a Resource. The client infrastructure is designed to: >> - Receive the resource access request from the User, >> - Interact with the RS to discover authorization requirements, >> - Interact with the GS to obtain an Authorization to access the >> Resource, >> - Interact with the RS to access the Resource on behalf of the User. >> >> User - the party using the infrastructure of the Client to gain access to >> a Resource or a Claim. >> >> >> Clarifications: >> ========== >> >> User vs. RO : >> - the User is the party using the infrastructure of the Client to >> gain access to a Resource or a Claim, >> - the RO is the party controlling access to a Resource or >> controlling the release of a Claim. >> In many use cases, User and RO will be represented by the same party (see >> oAuth2), but GNAP exposes use cases where User and RO are represented by >> different parties. >> >> User-Agent : >> User and RO are parties that might be represented by a natural person or >> an autonomous device. In those cases, User (resp. RO) might need the help >> of an application to interact with other parties. Such an application is >> generally referred to as the "User-Agent". >> >> Feedbacks are welcome. >> >> Best regards, >> /Francis >> >> >> On Tue, Jul 21, 2020 at 2:27 PM Francis Pouatcha <fpo@adorsys.de> wrote: >> >>> >>> >>> On Tue, Jul 21, 2020 at 2:15 PM Dick Hardt <dick.hardt@gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Jul 21, 2020 at 11:09 AM Francis Pouatcha <fpo@adorsys.de> >>>> wrote: >>>> >>>>> >>>>> On Tue, Jul 21, 2020 at 1:59 PM Dick Hardt <dick.hardt@gmail.com> >>>>> wrote: >>>>> >>>>>> FYI: I consider the release of claims to be an "authorization" as >>>>>> well. >>>>>> >>>>> Great. Then it is included. >>>>> >>>> >>>> I pivoted to using the term Grant rather than authorization so that it >>>> included both authorizing access to a resource, and authorizing the release >>>> of an identity claim. >>>> >>>> Perhaps we should not use the word "authorization"? >>>> >>> Authorization is currently used to refer to the token issued by the >>> GSand presented to the RS by the Client. I have no alternative word for now. >>> >>>> >>>> "resource access" and "claim release" >>>> >>>> A Grant then covers both? >>>> >>> Yes, Great! The word Grant fits best for both. I suggest adding this >>> clarification to that dictionary. >>> >>>> >>>> >>>> >>>>> >>>>>> IE, the user authorizes the GS to release a DOB claim to a Client. >>>>>> >>>>> I guess you mean the "RO" authorizes the GS to release a DOB! >>>>> >>>> >>>> Yes, thanks for clarifying! >>>> >>>> /Dick >>>> >>>>> >>> >>> -- >>> Francis Pouatcha >>> Co-Founder and Technical Lead >>> adorsys GmbH & Co. KG >>> https://adorsys-platform.de/solutions/ >>> >> >> >> -- >> Francis Pouatcha >> Co-Founder and Technical Lead >> adorsys GmbH & Co. KG >> https://adorsys-platform.de/solutions/ >> -- >> Txauth mailing list >> Txauth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> > -- Francis Pouatcha Co-Founder and Technical Lead adorsys GmbH & Co. KG https://adorsys-platform.de/solutions/
- [Txauth] Reviewing draft-hardt-xauth-protocol-11 … Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Tom Jones
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Tom Jones
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Fabien Imbault
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Justin Richer
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Tom Jones
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Tom Jones
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Tom Jones
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Tom Jones
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Yaron Sheffer
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Francis Pouatcha
- Re: [Txauth] Claims [was: - Dictionary] Tom Jones
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Francis Pouatcha
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Mike Jones
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt
- Re: [Txauth] Claims [was: - Dictionary] Justin Richer
- Re: [Txauth] Claims [was: - Dictionary] Dick Hardt