Re: [GNAP] Gathering Consent and Authorization

Fabien Imbault <fabien.imbault@gmail.com> Fri, 09 April 2021 15:33 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEB263A24F1 for <txauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWWNx-l6otjg for <txauth@ietfa.amsl.com>; Fri, 9 Apr 2021 08:33:29 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B3E3A1A07 for <txauth@ietf.org>; Fri, 9 Apr 2021 08:33:29 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id w2so5021557ilj.12 for <txauth@ietf.org>; Fri, 09 Apr 2021 08:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YW9T2WhvkomXNiBJc/4EwKAogQ5gI1MrVAAKUGGWZv8=; b=bfN0QJTqO29aIQ+X1aKaTetAmGcPtu0cO7aunCae+6IvP9IfAU0Gtp8hEQV2PXFUpw wEK0hQQC1tQF1idCUEUVuPgGJvyiIunBwyWcgYHFIetF8Ktxk+U8OXfWELfyKVqIAIvF RyYt2P1bcC4gtVnjnP6+snie/jOZ0BGu4vlii1jUCxMujj0nSZIRwraC580sRYgRnHrZ KpsagCau5QCfX46QeQOsZzvlFazDbvnyaONOIaJjFHo7p0uKKZSBNJv8acL6L7OEKsN3 uAM1dWvp2Nf/T7/4ZYe/yYPmHrtqLYSYxIZFd0UY/FIMx0FJJqi6P3HPyV+JWfsnXfDi q6NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YW9T2WhvkomXNiBJc/4EwKAogQ5gI1MrVAAKUGGWZv8=; b=MSJGPF3ObuPyCYcLsv04RXrigCDv+D3D8X6eR3rP+jTmGGgu+026Zoal4GHvJ/5qkL UnAnI0luFnt3DI9mKWvIbqEqqyBTKqORKBCUYEL8L4kKRFqtIK+kRllH4Iz1/1ntohu5 zcOdChwzGk1BQ5pbj773dpd/+OZwymtosmqGtzRHn9zuYx/lfI/1qOo7Mnz3fIki8ZcN 8hcvkDsc4VaCozjrloAuU+CjrLiCwoDhe0LsF2NsZq+zqnVJMOmD/KP2MJI/VxrX4ok4 EO+Kmi0yBTodu8tit/bIzprwOVvreIrZPI4LbOjlyWsIFNhpK3UVTi+2wjBA639v5/2u 9Rcw==
X-Gm-Message-State: AOAM533XUcdPmByMRPn2SqF/qd76Jz4UfUoOAPNnpi2O7c30L7N+kSgw Qho0WtVanWO2BK+PQCa3V2d0hv0gGOCHxhDe2UA=
X-Google-Smtp-Source: ABdhPJwNHvQHPK5aB9myakklhZrtknQDqdFFp5SDUKow3eI2ULjV6WNqeVdXWZ0BTNz7ItwERsZPrBZANcHo+Idu/x4=
X-Received: by 2002:a05:6e02:4aa:: with SMTP id e10mr2274297ils.188.1617982407477; Fri, 09 Apr 2021 08:33:27 -0700 (PDT)
MIME-Version: 1.0
References: <40D2CDB6-9EF7-42B1-8926-CDDC3523A5AE@mit.edu> <db00be0b-3559-7738-d6d7-2699770a05cf@free.fr>
In-Reply-To: <db00be0b-3559-7738-d6d7-2699770a05cf@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 9 Apr 2021 17:33:16 +0200
Message-ID: <CAM8feuT2RiR-1nSZ68ZyQqqM5sWuMUYDXO_0ip6z8DGQ8oyW4g@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Justin Richer <jricher@mit.edu>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a68d1a05bf8be2ef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/sIa5XmERmnN58wej3BjeAYDHrjU>
Subject: Re: [GNAP] Gathering Consent and Authorization
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 15:33:34 -0000

Hi,

Remember that for convenience, the PR generates an HTML draft, so you
should be able to read easily.
See
https://deploy-preview-242--gnap-core-protocol-editors-draft.netlify.app/

In particular section 4 is now called Determining Authorization and Consent.

Cheers
Fabien

On Fri, Apr 9, 2021 at 5:12 PM Denis <denis.ietf@free.fr> wrote:

> Hi  Justin,
>
> "Gathering Consent"  is not solely related with a section that would be
> called “Interaction at the AS”.
>
> For authorizing a method on an object, the RS (or more precisely the RO
> controlling that object) is wishing to obtain some privileges
> (i.e. attributes types and /or rights ) inside an access token that may be
> issued by *one AS among several ASs*.
>
> The privileges a RS is wishing to obtain should be proportionate to the
> method that is being requested on the object. This means that
> in the first access to a RS, the client should advertise both the method
> and the object on which the method applies and then in its response,
> the RS should indicate which choices are possible and the reason(s) behind
> each choice ("User Notice").
>
> In general, it is possible to decompose the end-user choice into three
> consecutive choices:
>
> a) a first choice for selecting the AS,
> b) a second choice for selecting different privileges *types *(i.e.
> attributes types and /or rights types) for the selected AS,
> c) a third choice selecting different privileges *values *for the
> selected privileges types (i.e. attributes type values and /or rights types
> values)
>
> If a RS is only trusting one AS, the first choice becomes a YES or NO
> question. The second choice must be based on information provided by the RS,
> since only the RS is knowing the rational to request some set of
> privileges. In such a case , the dialogue with the end-user can be done
> either
> *directly at the RS* or *locally at the client* using information
> provided by the RS. The third choice must be done at the AS.
>
> If a RS is trusting more than one AS, the first and the second choices
> must be done before contacting an AS (see above), while the third choice
> must be done at the AS.
>
> Denis
>
> PS. I have not yet read through the new text.
>
>
> We’ve recently had a lot of good discussion about the nature and role of
> the AS within GNAP, and the editors stated that we would be working on new
> text to incorporate this discussion. With that in mind, I wanted to bring
> everyone’s attention to a PR that makes some big changes to the core spec,
> though mostly in the description of how components work and less with the
> normative syntax of the protocol itself.
>
> https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/242
>
> This rewrites the section that is currently “Interaction at the AS” to
> better describe the wider range of possibilities for the authorization
> process. Note that this PR hasn’t been tagged as “pending merge” by the
> editors yet, which means there’s not a review deadline in place yet, but
> since it’s such a big change we’d like to get it in somewhat soon. Please
> go read through the new text and help improve it!
>
> Thank you,
>  — Justin
>
>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>