Re: [GNAP] Terminology proposal
Fabien Imbault <fabien.imbault@gmail.com> Sun, 13 December 2020 19:29 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2740A3A017E for <txauth@ietfa.amsl.com>; Sun, 13 Dec 2020 11:29:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EK7UnbncO4Ib for <txauth@ietfa.amsl.com>; Sun, 13 Dec 2020 11:28:58 -0800 (PST)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF6DB3A0114 for <txauth@ietf.org>; Sun, 13 Dec 2020 11:28:57 -0800 (PST)
Received: by mail-il1-x12d.google.com with SMTP id r17so13846613ilo.11 for <txauth@ietf.org>; Sun, 13 Dec 2020 11:28:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r185Rd4NRI/5i7UnsPdkkF/aVFtePDtQMJwXiIC2cu8=; b=k79xI9RZwnzeh0kNb7tdklm4SFOFJFiBNp2S5clmtbJwlq6FG6+CaG2dJ0uqnrzwHG uA8GP3U6EvWzdGaBZRK7MrdgFrUWE4NBGGHiVGElz1FS0wT3vx7YCgWfoFOZPwR61nPU nQgjwuL5KWsKSiB/GpS/Xq5fAitklct/2ZTGZcf8lC0d463p/+SaugTYq9Kgxg+oJBLP b0g3s3hw/lgRmnkM94FERROt1SLCJrrT5ExAyCTny58Nf1WlNDAoms9BdIzvJt3WliAX 13e8gk9Ogz5n9uljOg2boqJfySYXrHbcAK8YhSAW/kPA4yN9VErQnwTChE4iS1BmoQ+S kjaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r185Rd4NRI/5i7UnsPdkkF/aVFtePDtQMJwXiIC2cu8=; b=G+7faOegysTDSLGpd7vSfeutWTrAPZofoVW0AQJmLpMutLyNECIDJoTmh+ah+SRO+X PPpSAlWEwK++DNG/SoFvqL1JfDD+Sv9EYv93MRpHRcLemSusWvnuDL5JYMh13mvAO8UG VWqx7AX75J+Rb3DCdn8NaFTeSJkqGUtSaWOzenOaCeWFmKFLaWzGczfifk875XdNEYcn tsmp034OC5aiQCqzF6TTatprDfb204+aTKGKrmZlWkoTl9hJm9g5Jwiq7hYKtyBw4DuV uw+LPFyTxydhJ3g2S61sNlRiQHEfB2JcnuJsNrXE2Ld11JZbK78k9JcyQM4nNRTMbYTQ +NlQ==
X-Gm-Message-State: AOAM532MPzB9Eac3dF5NR/RqnE7xkN6nX1W7Cec72G0wjKhrSYQa3RIk 9SpBuR+dyJ/bYeFMQTCByjmex9S8jHDDQjAJ/WIVy5OVCI+79w==
X-Google-Smtp-Source: ABdhPJw4DOgB8+9LIXt41yGHh6SJmYIrkkLtkEoRhQW76O7jWQN6cmiTAwvJPHHd2WpHu+WizSZPtZ6MJzooCIRgj0w=
X-Received: by 2002:a92:6b05:: with SMTP id g5mr28853979ilc.289.1607887736547; Sun, 13 Dec 2020 11:28:56 -0800 (PST)
MIME-Version: 1.0
References: <CAM8feuT0ex-Jm1=pfyPN6DX_X2gcB8wuGQ3UJMtbO=3kxTmR8Q@mail.gmail.com> <26b4f31f-921c-6f9e-57d9-e378406e4cb6@free.fr> <CAM8feuT0YToOAnyXDXPdKgt4BxUjmTwx+y+9k+0Tpm-pdZR0nQ@mail.gmail.com> <95C942E8-5261-4DA3-9764-27767B6E6BF1@gmail.com> <CAM8feuRqyD+ej7Wh1vi4_pdBtcTV+k3_Au0JLFwa1VE=ODgPmA@mail.gmail.com> <CAM8feuTqtDO+VnqPY0o0u4SV-G=cH4ECSFtSNvi6qkauMNjoTQ@mail.gmail.com> <13422918-A279-45FD-97B7-E02D74534960@gmail.com> <CAM8feuSxJkX_M4+GNUD_k_mJTffpyVbtiwUKaAw02x-zQZQiJA@mail.gmail.com> <4B381A4C-573A-41E0-BD9E-6B97187ED2D5@gmail.com>
In-Reply-To: <4B381A4C-573A-41E0-BD9E-6B97187ED2D5@gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Sun, 13 Dec 2020 20:28:45 +0100
Message-ID: <CAM8feuQbWVjZ7sG8bUDz=xebA0_p4OdNoznF1NH0ktTyHpi2Ew@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Denis <denis.ietf@free.fr>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000602cec05b65d893d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/mX6QiduZfs9fmS2bUZDkG7eeGHs>
Subject: Re: [GNAP] Terminology proposal
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 19:29:02 -0000
Ok but if we limit to protected resources, we don't have that problem, so typically is not needed. On Sun, Dec 13, 2020 at 8:26 PM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > Hi Fabien, > > > > “Typically” means “usually, though there may be fully public resources > where some operations don’t require any authorization, but I don’t want a > normative statement in the Terminology section…” > > > > Thanks, > > Yaron > > > > *From: *Fabien Imbault <fabien.imbault@gmail.com> > *Date: *Sunday, December 13, 2020 at 21:21 > *To: *Yaron Sheffer <yaronf.ietf@gmail.com> > *Cc: *Denis <denis.ietf@free.fr>, GNAP Mailing List <txauth@ietf.org> > *Subject: *Re: [GNAP] Terminology proposal > > > > Hi Yaron, > > > > Stylistic comments are very important too. And at some point we'll need a > review from native english speakers in the group (I'm sure Justin and Aaron > will be of great help here). > > > > Just wondering: what do you mean by "typically"? (ideally I'd rather have > a definition which is not dependent on use case). > > > > As soon as we land on something, I'll update the wiki. > > > > Fabien > > > > > > > > On Sun, Dec 13, 2020 at 8:12 PM Yaron Sheffer <yaronf.ietf@gmail.com> > wrote: > > It’s purely stylistic, but I find the definition of RS (“server that > denies operations”) a bit funny. How about: > > > Resource Server (RS) > > - Definition: server that provides operations on protected resources; > such operations typically require that the client provide valid access > tokens issued by an AS > > Thanks, > > Yaron > > > > *From: *Fabien Imbault <fabien.imbault@gmail.com> > *Date: *Sunday, December 13, 2020 at 13:20 > *To: *Yaron Sheffer <yaronf.ietf@gmail.com> > *Cc: *Denis <denis.ietf@free.fr>, GNAP Mailing List <txauth@ietf.org> > *Subject: *Re: [GNAP] Terminology proposal > > > > Hello everyone, > > > > We're at the end of the 2 week period, and so I integrated the various > feedbacks : > > > > a) from Yaron's feedback, removed new term "IS" and update issue > https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/133 to handle > the proposal here > > b) integrated Tom's feedback regarding the RO (and moved to access token) > > c) definitions follow an ISO style as suggested by Denis, which we took as > a starting point (but I made the modifications I felt were necessary) > > > > I modified the definitions, notes and examples as a consequence. You'll > also find a summary of discussions for each term, so that we can keep track > of them too. > > > > My biggest question is : what should we use as our main vocabulary between > privilege/rights/attribute? I tried to clarify, please let me know what you > think. The general idea is that we grant privileges that are delivered > under the form of access tokens (which contain rights and/or attributes). > > Regarding whether access tokens should be opaque or not, I suggest to > remove that from the definition and handle that in issue > https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/145 > > > > All has been consolidated on the wiki too > https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology so > that we have a clearer view of where we stand. > > > > Please comment further on the list if you have comments, I'll update if > necessary (and refer to the mailing list url in the comment of the wiki > update, from now on). Then editors will review the proposal. > > Here is a copy of > https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology#latest-discussion-update > . > > > Latest discussion update > > Here we consolidate the latest proposal(s) from the group. We also include > the discussion items (individual feedbacks). > Authorization Server (AS) > > - Definition: server that grants privileges to a particular end-user > and that provides them to a client in the form of an access token > > Feedbacks / discussion / questions : > > - Suggested "privilege" definition (that we would probably add as an > additional sub-entry): "A privilege is the right to perform an operation > (or action) on a Resource." See also other def > <https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67568310/Privilege+Dictionary+Entry> > - Note that we don't include claims in the definition (cf OIDC/SSI > integration), but since we talk about a "particular end-user" it is assumed > somehow > - Denis suggested we used "rights and attributes" instead of > privileges. [FI] However i don't think one can really speak about granting > attributes, except indirectly (ABAC). See access token for more on that, > where we can be more specific. > - Do we allow cases such as distributing the AS on a mobile? (in this > case we're at the limit of what we call a server) > > Client > > - Definition: application used by an end-user to interact with an AS > or a RS > - Note: this specification differentiates between a specific instance > (the client instance, identified by its public key) and the software > running the instance (the client software). For some kinds of client > software, there could be many instances of a single piece of client > software. > - Example: a client can be a mobile application, a web application, > etc. > > Feedbacks / discussion : > > - Replaces previously proposed RC, we wouldn't provide a short name. > - Keep OAuth2 term, but we clarify it > - Further discussion on Client instance > <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/132> > > Resource Server (RS) > > - Definition: server that denies operations on protected resources, > unless the client provides valid access tokens issued by an AS > > Feedbacks / discussion : > > - Denis suggests to make explicit that we could have several ASs - > "issued by one or more ASs" (also we'd need a convention on how to denote > plural, e.g. ASs). Not exactly sure right now of the multiple issuance > would work, so needs to be clarified. Also not sure if that's even > necessary (do we lack in generality if we keep the singular?) > > Resource Owner (RO) > > - Definition: physical person acting on its own or representing an > organization, that may grant privileges on resources he has authority upon > - Note: the act of granting privileges may be manual (i.e. through an > interaction) or automatic (i.e. through predefined rules). > > Feedbacks / discussion > > - As some point we suggested "The RO may decide to remove its consent > at any time." Tom provided useful feedback > <https://mailarchive.ietf.org/arch/msg/txauth/n_vDfQGaUO6v56nbXyG5lpDda-M/> on > that. Moved to access token where it fits more naturally. > > End-user > > - Definition: physical person that operates with the client software > - Note: that physical person may or may not be the same entity as the > RO > > Access token > > - Definition: digitally signed data that contains specific rights > and/or attributes > - Note 1: the access token can be issued to an end-user (usually > requiring his authentication) and subsequently refreshed. The AS usually > provides a method for the RO to revoke the privileges at any point in time. > - Note 2: an access token may act as a capability (i.e. bearer token) > or require an additional authentication by binding to a key (i.e. bound > token) > > Feedbacks / discussion > > - Would require the subdefinitions right: ability for an end-user to > perform a given operation (or action) on a resource (or object) under the > control of a RS / attribute: property related to an end-user. > - Note 2 is here in relationship with PR 129 > <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129> > > Grant > > - Definition (verb): to permit, as a privilege given to an end-user to > exercise some rights and/or assert attributes during a specific duration > - Definition (noun): the act of granting > > Key > > - Definition: public cryptographic binding a request to the holder of > a private key, used by the protocol entities (AS, RS, client instance, > bound token, etc.) to identify themselves. > - Note: a key can be rotated or revoked by its holder. The protocol > supports the update of the key information. > > Feedbacks / discussion > > - Denis thinks the term "key" is well understood and doesn't need to > be defined. Yet, I tend to believe we'd gain to keep it. First the generic > term "key" may be many things : symmetric/asymmetric, public/private, etc. > It's also useful to explain its use in the protocol > > Resource > > - Definition: protected API served by a RS and accessed by a client, > if and only if a valid access token is provided > > > > On Fri, Dec 11, 2020 at 6:05 PM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > > Hi Yaron, > > > > Yes I highlighted that this was a new term. We can deal with it as a > separate issue indeed. > > > > Best > > Fabien > > > > On Fri, Dec 11, 2020 at 6:02 PM Yaron Sheffer <yaronf.ietf@gmail.com> > wrote: > > Hi Fabien, > > > > Yes, we definitely need to reach closure on terminology, thank you for > driving this discussion! > > > > One process comment: unless I’m missing something, the Interact (or > Interaction) Server is not mentioned in the current draft. I suggest we do > not introduce new functional components or new behaviors as part of the > terminology discussion. Specifically, if the IS is useful, let’s reach > consensus on that separately. Then we can add it into the Terminology > section. > > > > Thanks, > > Yaron > > > > *From: *TXAuth <txauth-bounces@ietf.org> on behalf of Fabien Imbault < > fabien.imbault@gmail.com> > *Date: *Friday, December 11, 2020 at 14:31 > *To: *Denis <denis.ietf@free.fr> > *Cc: *GNAP Mailing List <txauth@ietf.org> > *Subject: *Re: [GNAP] Terminology proposal > > > > Hi Denis, > > > > Thanks for your detailed feedback. My comments are embedded into your > message. Again those comments are my own, and we'll need to converge to > some consensus beyond what I say here. My main open question is really > about the RO being optional. Could you explain? > > > > Fabien > > > > On Fri, Dec 11, 2020 at 12:08 PM Denis <denis.ietf@free.fr> wrote: > > This is a global response to the definitions proposal. > > > TerminologyI propose to adopt the way ISO defines how to write the > definitions.It is a *single sentence* that may be substituted to the > wording being defined in the context of a sentence that uses that > definition. > Since this single sentence can be substituted to the wording, there is not > point at the end of that sentence. The sentence does not > have a "a" or "the" in front of it. > > > > [FI] In the first version, I was mostly trying to not get too far away > from the current text. But yes that's a good idea, it gives a more formal > rule, which has been proven to work. > > > > If more information is useful to understand the wording, it is placed in > one or more notes afterwards. > > > > Note: The ISO rules for drafting definitions are in the ISO/IEC > Directives, Part 2 (edition 2018): > > 16.5.6 Definitions > > The definition shall be written in such a form that it can replace the > term in its context. It shall not start with an article (“the”, “a”) nor > end with a full stop. > A definition shall not take the form of, or contain, a requirement. > > Only one definition per terminological entry is allowed. If a term is used > to define more than one concept, a separate terminological entry shall be > created > for each concept and the domain shall be included in angle brackets before > the definition. > > Circular definitions, which repeat the term being defined, are not allowed. > > Comments are inserted between the lines. > > > > Hello everyone, > > > > As an editor : a quick reminder that terminology issues will be discussed > in the coming weeks, and we're expecting your inputs right now (according > to the process previously sent on the mailing list). > > https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/29 > > https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology > > > > The rest of this message is a proposal written in my own name, and doesn't > involve discussions with the editors/chairs who might have different > opinions. > Authorization Server (AS) > > Manages the granting of privileges to a third-party client instance. If > the RO consents to at least a part of what is requested, the AS issues an > access token to the client. > > *My questions: * > > *- was else do we issue? (e.g. id claims, payment info, etc.) We could > have more than access tokens, but “directed information” is not clear. I > removed that for now.* > > *- there might potentially be several AS, currently we don’t reflect that > anywhere. If would leave that as an open item, depending on what we end up > doing in the spec* > > I am not in favour of this definition: A RO as defined later: "authorizes > the request to access a protected resource from the RS to the client". > This does not mean in any way that a RO has necessarily a direct > relationship with one or more ASs. [FI] indeed we could remove that > limitation, to have a more general definition > Using the ISO style for definitions, I propose: > > Authorization Server (AS): server that grants rights and/or attributes to > a particular end-user and that provides them to a client in the form of an > access token > > Since this definition is using the words "rights" and "attributes", these > two terms need to be defined as well. > > right: ability for an end-user to perform a given operation on an object > under the control of a RS > > attribute: property related to an end-user > > > > [FI] I like your proposal in general. There might be some discussions on > the details. I don't think it makes sense to grant "attributes". > > Some explanations: a "right" is able to support a capability scheme. An > "attribute" is able to support an ACL scheme. > > These two schemes are able to support "discretionary access control" where > the end-user has a "need-to-know". > > However, some attributes are also able to support what was called in the > past "mandatory access control"; for example, > > if the end-user is cleared to "top-secret / marketing strategy". > > > > Interact Server (IS) - this is a new proposed term > > Manages the front-end interaction with the RO, in order to gather its > consent. Depending on the deployment model and the privacy requirements, > the IS may be a component of the AS, or may be distinct and managed by > another party. > > Example : an IS usually involves a web interface accessed by RO through a > web browser. > > Note : an IS is not always required, especially if the access is granted > through automated policies. > > Using the ISO style for definitions, I propose: > > > > Interact*ion* Server (IS) > > component from the AS or server interfacing with an AS that manages the > interactions with a RO, in order to gather its authorizationNote : since > the RO is an optional component, the IS is also an optional component. > > > > [FI] indeed IS is optional. note for myself when looking at RO : why is RO > optional ? > > Client Requests privileges from the AS, and uses access tokens at the RS. > This specification differentiates between a specific instance (the client > instance, identified by its unique public key) > and the software running the instance (the client software). . For some > kinds of client software, there could be many instances of a single piece > of client software. > The AS determines which policies apply to a given client instance, > including what it can request and on whose behalf. > > Some comments: The above text is stating: "(the client instance, > identified by its unique public key)". > A client instance may use a public key, but that key is not necessarily > unique, in particular when there are multiple ASs. > > [FI] yes, although when possible I would still consider a better practice > to expose a key to a specific AS and not to the entire set of available > ASs. > > Example : a client can be a mobile application or a web application (the > client software) that requires authorizations from the RO to retrieve > content from various protected APIs. The client instance may for instance > refer to a specific version of that client software. > > *See on-going discussion : > https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/132 > <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/132> (client > instance). * > > Using the ISO style for definitions, I propose: > > Client: application used by an end-user to interact with an AS or a RS > > Note: a client can be a mobile application or a web application [FI] for > me those are just examples, because there could me more (ex IoT device) > > [FI] you remove the entire discussion on client instance / client > software, is that on purpose because you think it's not useful/right, or is > it because of something else? (maybe add your comment of the related > issue) > > Resource Server (RS) > > Accepts valid access tokens from the client issued by the AS and serves > protected resources on behalf of the RO. There could be multiple RSs > protected by the AS that the client may call. > > Example : a RS is often composed of protected APIs that can be consumed by > authorized client software. > > One comment: a RO is not necessarily involved. [FI] a bit hard to > imagine, there's some kind of owner. Could you be more explicit? > Using the ISO style for definitions, I propose: > > Resource Server (RS): server that accepts valid access tokens from clients > issued by one or more ASs which are used to grant or deny some requested > operations > > Note: a RS is often composed of protected APIs that can be consumed by > clients. > > > > Resource Owner (RO) > > Authorizes the request to access a protected resource from the RS to the > client. The RO may decide to remove its consent at any time. > > Note : the RO may be a physical person or may represent an organization. > > > > Two comments: In order to avoid confusion with the end-user consent, the > word " authorization" is being used instead of "consent". [FI] ok > > It should be said that the RO is an optional component. [FI] why? Using > the ISO style for definitions, I propose: > > Resource Owner (RO): physical person acting on its own or representing an > organization that authorizes to clients operations on protected resources > from a RS > > Note: The RO is an optional component that may interact either with one RS > or with one or more ASs ,e.g. using an IS. > > End-user – this was previously Requesting Party RQ > > A physical person that operates and interacts with the client software. > > Note : the end-user may or may not be the same entity as the RO. > > The Note is slightly incorrect. the *physical person* may or may not be > the same entity as the RO. [FI] I didn't understand your comment > Using the ISO style for definitions, I propose: > > End-user : physical person that operates and interacts with the client > software > > Note : that physical person may or may not be the same entity as the RO. > > > > Access Token > > A set of privileges delegated to the client instance for a specific > end-user. An access token is created by the AS, consumed and verified by > the RS, and issued to and carried by the client's end-user on behalf of the > RO. The contents and format of the access token are opaque to the client. > > Example : JWT is a commonly used format. > > Note 1 : an access token generally has a limited duration, after which it > may be refreshed at a regular interval. > > Note 2 : an access token may be revoked at any time by the RO. > > Note 3 : an access token may act as a capability or require an additional > authentication by binding to a key > > A fundamental point: the third sentence from the definition states: "The > contents and format of the access token are opaque to the client". > > [FI] I'll check your other thread dedicated to that issue > > See my other email sent today about "RS-Token Introspection or RC-Token > Introspection" where I conclude: > > For end-users caring about their privacy (or for systems willing to > protect the user's privacy), access tokens should not be considered > to be opaque to RCs nor to RSs and ASs should not support Token > Introspection, whether it is RS-Token Introspection or RC-Token > Introspection. > > The example and the other Notes above should be removed. If needed they > should be placed in the main body of the document. > > Using the ISO style for definitions, I propose: > > Access Token : digitally signed data issued by an Authorization Server > (AS) and consumed by a Resource Server (RS) > that contains rights and/or attributes granted > to a particular end-user > > > > Grant > > The process by which the client requests and is given delegated access to > the RS by the AS through the authority of the RO. > > Using the ISO style for definitions, I propose: > > Grant: permission given to end-user to use a subset of his rights and/or > his attributes at a specific time and for a specific duration > > > > Key > > A public cryptographic binding a request to the holder of a private key. > Access tokens and client instances can be associated with specific keys at > a point in time. > > Note : a key can be rotated or revoked by its holder. The protocol > supports the update of the key information. > > "key" is a general term that is well understood and that does not need to > be defined. [FI] I really wouldn't bet on that. We can reuse an existing > definition but it is a central piece so we need to be explicit > > The "definitions" section is not intended to explain what can be done with > the term that is being defined. [FI] ok we can work on that > Until the word "key" is qualified using one or more other terms, this > definition should be removed. > > > > Resource > > A protected API served by the RS and accessed by the client if and only if > access has been granted. Access to this resource is delegated by the RO as > part of the grant process. > > The second sentence of the definition is not in accordance with the ISO > style or definitions and furthermore this second sentence should be removed > since a RO is an optional element. > > > Using the ISO style for definitions, I propose: > > Resource: protected API served by a RS and accessed by a client, if and > only if access is granted by an access token > > Subject Information > > Information about a subject (usually a RO) that is returned directly to > the client from the AS. > > Note : this information needs to be unique. > > > > This definition exhibits several problems: > > (1) The term "subject" is not defined. > > (2) The information that is returned is for an end-user, i.e. not for "(usually > a RO)". > > (3) The Note states : "this information needs to be unique". Does it mean > unique for the AS ? globally unique ? > > This definition should be revisited. [FI] I agree (I myself had many > questions here) > > Denis > > > > *My questions : * > > *- probably we’d need to define subject* > > *Subject : > https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67600697/Subject+Dictionary+Entry > <https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67600697/Subject+Dictionary+Entry>* > > *- might be useful to clarify the relationship to what identity providers > do * > > > > > > Cheers > > Fabien > > > > > > > > > > > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > -- TXAuth mailing list TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > >
- [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Denis
- Re: [GNAP] Terminology proposal Fabien Imbault
- [GNAP] Open question: Why is a RO optional ? Denis
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Yaron Sheffer
- Re: [GNAP] Terminology proposal Fabien Imbault
- Re: [GNAP] Terminology proposal Tom Jones
- Re: [GNAP] Terminology proposal Fabien Imbault