Re: [GNAP] Gathering Consent and Authorization
Fabien Imbault <fabien.imbault@gmail.com> Fri, 09 April 2021 15:33 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEB263A24F1 for <txauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWWNx-l6otjg for <txauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:33:29 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B3E3A1A07 for <txauth@ietf.org>; Fri, 9 Apr 2021 08:33:29 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id w2so5021557ilj.12 for <txauth@ietf.org>; Fri, 09 Apr 2021 08:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YW9T2WhvkomXNiBJc/4EwKAogQ5gI1MrVAAKUGGWZv8=; b=bfN0QJTqO29aIQ+X1aKaTetAmGcPtu0cO7aunCae+6IvP9IfAU0Gtp8hEQV2PXFUpw wEK0hQQC1tQF1idCUEUVuPgGJvyiIunBwyWcgYHFIetF8Ktxk+U8OXfWELfyKVqIAIvF RyYt2P1bcC4gtVnjnP6+snie/jOZ0BGu4vlii1jUCxMujj0nSZIRwraC580sRYgRnHrZ KpsagCau5QCfX46QeQOsZzvlFazDbvnyaONOIaJjFHo7p0uKKZSBNJv8acL6L7OEKsN3 uAM1dWvp2Nf/T7/4ZYe/yYPmHrtqLYSYxIZFd0UY/FIMx0FJJqi6P3HPyV+JWfsnXfDi q6NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YW9T2WhvkomXNiBJc/4EwKAogQ5gI1MrVAAKUGGWZv8=; b=MSJGPF3ObuPyCYcLsv04RXrigCDv+D3D8X6eR3rP+jTmGGgu+026Zoal4GHvJ/5qkL UnAnI0luFnt3DI9mKWvIbqEqqyBTKqORKBCUYEL8L4kKRFqtIK+kRllH4Iz1/1ntohu5 zcOdChwzGk1BQ5pbj773dpd/+OZwymtosmqGtzRHn9zuYx/lfI/1qOo7Mnz3fIki8ZcN 8hcvkDsc4VaCozjrloAuU+CjrLiCwoDhe0LsF2NsZq+zqnVJMOmD/KP2MJI/VxrX4ok4 EO+Kmi0yBTodu8tit/bIzprwOVvreIrZPI4LbOjlyWsIFNhpK3UVTi+2wjBA639v5/2u 9Rcw==
X-Gm-Message-State: AOAM533XUcdPmByMRPn2SqF/qd76Jz4UfUoOAPNnpi2O7c30L7N+kSgw Qho0WtVanWO2BK+PQCa3V2d0hv0gGOCHxhDe2UA=
X-Google-Smtp-Source: ABdhPJwNHvQHPK5aB9myakklhZrtknQDqdFFp5SDUKow3eI2ULjV6WNqeVdXWZ0BTNz7ItwERsZPrBZANcHo+Idu/x4=
X-Received: by 2002:a05:6e02:4aa:: with SMTP id e10mr2274297ils.188.1617982407477; Fri, 09 Apr 2021 08:33:27 -0700 (PDT)
MIME-Version: 1.0
References: <40D2CDB6-9EF7-42B1-8926-CDDC3523A5AE@mit.edu> <db00be0b-3559-7738-d6d7-2699770a05cf@free.fr>
In-Reply-To: <db00be0b-3559-7738-d6d7-2699770a05cf@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 09 Apr 2021 17:33:16 +0200
Message-ID: <CAM8feuT2RiR-1nSZ68ZyQqqM5sWuMUYDXO_0ip6z8DGQ8oyW4g@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Justin Richer <jricher@mit.edu>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a68d1a05bf8be2ef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/sIa5XmERmnN58wej3BjeAYDHrjU>
Subject: Re: [GNAP] Gathering Consent and Authorization
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 15:33:34 -0000
Hi, Remember that for convenience, the PR generates an HTML draft, so you should be able to read easily. See https://deploy-preview-242--gnap-core-protocol-editors-draft.netlify.app/ In particular section 4 is now called Determining Authorization and Consent. Cheers Fabien On Fri, Apr 9, 2021 at 5:12 PM Denis <denis.ietf@free.fr> wrote: > Hi Justin, > > "Gathering Consent" is not solely related with a section that would be > called “Interaction at the AS”. > > For authorizing a method on an object, the RS (or more precisely the RO > controlling that object) is wishing to obtain some privileges > (i.e. attributes types and /or rights ) inside an access token that may be > issued by *one AS among several ASs*. > > The privileges a RS is wishing to obtain should be proportionate to the > method that is being requested on the object. This means that > in the first access to a RS, the client should advertise both the method > and the object on which the method applies and then in its response, > the RS should indicate which choices are possible and the reason(s) behind > each choice ("User Notice"). > > In general, it is possible to decompose the end-user choice into three > consecutive choices: > > a) a first choice for selecting the AS, > b) a second choice for selecting different privileges *types *(i.e. > attributes types and /or rights types) for the selected AS, > c) a third choice selecting different privileges *values *for the > selected privileges types (i.e. attributes type values and /or rights types > values) > > If a RS is only trusting one AS, the first choice becomes a YES or NO > question. The second choice must be based on information provided by the RS, > since only the RS is knowing the rational to request some set of > privileges. In such a case , the dialogue with the end-user can be done > either > *directly at the RS* or *locally at the client* using information > provided by the RS. The third choice must be done at the AS. > > If a RS is trusting more than one AS, the first and the second choices > must be done before contacting an AS (see above), while the third choice > must be done at the AS. > > Denis > > PS. I have not yet read through the new text. > > > We’ve recently had a lot of good discussion about the nature and role of > the AS within GNAP, and the editors stated that we would be working on new > text to incorporate this discussion. With that in mind, I wanted to bring > everyone’s attention to a PR that makes some big changes to the core spec, > though mostly in the description of how components work and less with the > normative syntax of the protocol itself. > > https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/242 > > This rewrites the section that is currently “Interaction at the AS” to > better describe the wider range of possibilities for the authorization > process. Note that this PR hasn’t been tagged as “pending merge” by the > editors yet, which means there’s not a review deadline in place yet, but > since it’s such a big change we’d like to get it in somewhat soon. Please > go read through the new text and help improve it! > > Thank you, > — Justin > > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [GNAP] Gathering Consent and Authorization Justin Richer
- Re: [GNAP] Gathering Consent and Authorization Denis
- Re: [GNAP] Gathering Consent and Authorization Fabien Imbault