Thoughts on Obligations
Folks, I am concerned about putting specific obligations on the RS and thus subjagating it to the AS. Specifically to allow for Enterprise MAC with UMA participation, where the End user is a participant in the access control decision, but not the only participant. 1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>: Delegate-Protection* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> have mutually agreed to serve in these respective roles for each other, theResource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> to delegate protection services to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> for the set of protectable resources for which it represents this capability to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>, and to respect the authorization data that the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> has associated with an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> when the Resource Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_0.md> subsequently allows or disallows access by the Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> that presented that RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md>. My concern here is that it delegates "Protection services" to the AS, and this feels a little like an all or nothing. This might not be true in the case where the RO is only one party in the Access control decision. 3. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md>: Respect-Permissions* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> have mutually agreed to serve in these respective roles for each other, the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> to disallow access by a Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> presenting an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> in all cases where the authorization data associated by the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> is insufficient for the access attempt.. The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases. This has several implications. If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS. Since once it has an answer, it is obligated to deny. This implies that the RS cannot opt out once the request to the AS is made. It feels a little bit like don't ask don't tell! My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions. Allan -- Simplify Email: Email Charter <http://emailcharter.org/> ForgeRock Logo *Allan Foster - ForgeRock * /VP Strategic Partner Enablement/ *Location:*San Francisco *p:* +1.214.755.9218 *email:* allan.foster@forgerock.com <mailto:allan.foster@forgerock.com> *blogs:* blogs.forgerock.com/GuruAllan <http://blogs.forgerock.com/GuruAllan> *Skype:* Call GuruAllan <http://is.gd/lWVfMG> *www:* www.forgerock.com <http://www.forgerock.com/> *www:* www.forgerock.org <http://www.forgerock.org/>
(For those not familiar, "DAC" is Discretionary Access Control and "MAC" is Mandatory Access Control. We're using those terms somewhat loosely, but you get the idea. Here are some discussions: DAC <https://en.wikipedia.org/wiki/Discretionary_access_control> MAC <https://en.wikipedia.org/wiki/Mandatory_access_control>) This is some great, careful parsing of the language, and brings us firmly into the BLT challenge -- whether on the federated authorization or the individual consent/delegation side of the world. You're right that the Delegate-Protection clause, as currently stated, is very "all or nothing", and doesn't match the more careful and new circumscribing in the Respect Permissions clause. (The latter's name, btw, is still old; it comes from when the text was still itself all or nothing. Depending on which way we go, maybe we should rename it.) In V1.0.1 Core Sec 3.3.3 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#give-access>, as already noted, we clarified that the RS always has the right to refuse access, the way an RP does. But we had been assuming that if the UMA flow is being used, then Alice's word goes when it comes to denial of access; you can see it in this wording in the same section: "The resource server MUST NOT give access in the case of an invalid RPT or an RPT associated with insufficient authorization." This has been in the text for a long time. The equivalent in V1.0 (Core Sec 3.1.2 <https://docs.kantarainitiative.org/uma/rec-uma-core-v1_0.html#rfc.section.3.1.2>) was "The resource server MUST NOT give access where the token's status is not associated with sufficient authorization data for the attempted scope of access." The thinking has been that if the RS is consulting the AS at all, then the process has to count for something. There are plenty of ways for the RS not to consult the AS and do what it wants -- and that's where MAC can come in. But I can think of at least a couple of sticky wickets here. - An RS can perform any "local" authorization procedures it wants, before and/or after doing the UMA dance, i.e., getting a token from the client, introspecting it, etc. Are we saying that the moment an RS, say, accepts the client's token -- or introspects it (what's the relevant state change?) -- it's suddenly impossible to grant access if the associated authorization data said no? The state change we pick will strongly affect what optimizations RS's will pick. - If UMA ultimately gets commonly used for MAC-ish use cases separately from DAC-ish use cases -- iow, it's used in separate circumstances possibly by different IT stakeholders for both ordinary "do what Alice says" stuff and "override her wishes" stuff -- then what the heck is the interaction between *not* consulting Alice's AS but going off and consulting the enterprise's AS at some point?? *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Mon, Dec 21, 2015 at 7:38 PM, Allan Foster <allan.foster@forgerock.com> wrote:
Folks, I am concerned about putting specific obligations on the RS and thus subjagating it to the AS.
Specifically to allow for Enterprise MAC with UMA participation, where the End user is a participant in the access control decision, but not the only participant.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>: Delegate-Protection* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> have mutually agreed to serve in these respective roles for each other , theResource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> to delegate protection services to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> for the set of protectable resources for which it represents this capability to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>, and to respect the authorization data that the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> has associated with an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> when the Resource Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_0.md> subsequently allows or disallows access by the Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> that presented that RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> .
My concern here is that it delegates "Protection services" to the AS, and this feels a little like an all or nothing. This might not be true in the case where the RO is only one party in the Access control decision.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md>: Respect-Permissions* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> have mutually agreed to serve in these respective roles for each other , the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> to disallow access by a Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> presenting an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> in all cases where the authorization data associated by the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> is insufficient for the access attempt..
The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases.
This has several implications. If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS. Since once it has an answer, it is obligated to deny. This implies that the RS cannot opt out once the request to the AS is made.
It feels a little bit like don't ask don't tell!
My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions.
Allan
-- Simplify Email: Email Charter <http://emailcharter.org/>
[image: ForgeRock Logo] *Allan Foster - ForgeRock * *VP Strategic Partner Enablement* *Location:*San Francisco *p:* +1.214.755.9218 *email:* <allan.foster@forgerock.com>allan.foster@forgerock.com *blogs:* blogs.forgerock.com/GuruAllan *Skype:* Call GuruAllan <http://is.gd/lWVfMG> *www:* www.forgerock.com *www:* www.forgerock.org
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Allan, I don't know if this comment will be useful - but here goes. Your final statement "My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions" exposes part of a much larger problem in consent management...namely, local interpretation of business rules related to privacy, etc. Local interpretation creates a high degree of variance - making MANY rules difficult to operationalize. Keeping this in mind and finding a common standard, even at a basic technology level would help moderate the variance caused by local interpretation. Lisa Moon Principal Consultant Advocate Consulting LLC (c) 952-913-7263 lisa.moon@advocate-consulting.com On Mon, Dec 21, 2015 at 9:38 PM, Allan Foster <allan.foster@forgerock.com> wrote:
Folks, I am concerned about putting specific obligations on the RS and thus subjagating it to the AS.
Specifically to allow for Enterprise MAC with UMA participation, where the End user is a participant in the access control decision, but not the only participant.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>: Delegate-Protection* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> have mutually agreed to serve in these respective roles for each other , theResource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> to delegate protection services to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> for the set of protectable resources for which it represents this capability to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>, and to respect the authorization data that the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> has associated with an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> when the Resource Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_0.md> subsequently allows or disallows access by the Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> that presented that RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> .
My concern here is that it delegates "Protection services" to the AS, and this feels a little like an all or nothing. This might not be true in the case where the RO is only one party in the Access control decision.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md>: Respect-Permissions* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> have mutually agreed to serve in these respective roles for each other , the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> to disallow access by a Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> presenting an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> in all cases where the authorization data associated by the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> is insufficient for the access attempt..
The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases.
This has several implications. If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS. Since once it has an answer, it is obligated to deny. This implies that the RS cannot opt out once the request to the AS is made.
It feels a little bit like don't ask don't tell!
My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions.
Allan
-- Simplify Email: Email Charter <http://emailcharter.org/>
[image: ForgeRock Logo] *Allan Foster - ForgeRock * *VP Strategic Partner Enablement* *Location:*San Francisco *p:* +1.214.755.9218 *email:* allan.foster@forgerock.com *blogs:* blogs.forgerock.com/GuruAllan *Skype:* Call GuruAllan <http://is.gd/lWVfMG> *www:* www.forgerock.com *www:* www.forgerock.org
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
I don't want this to sound cavalier in any way, but I wonder if this is a place where consent receipts could "paper over" a lot of sins/variances. If there is a specific reason for going against a specific set of authorization data, or lack of authorization data, in a requesting party token, then surely an accounting of exactly what the variance was, with an explanation of the delta against the exact RPT contents, would be a godsend. A couple of thoughts on this idea: - I doubt UMA the spec is ready yet to make a normative reference out to MVCR, but the time seems right to experiment with the idea anyway. - Remember that the RPT that a client brought to the resource server associates that client, its requesting party, the authorization server, and that resource server; the RS may possibly have introspected it to reveal permissions (assume the default "bearer" token profile) that are associated with other resource owners, not just Alice. Any logging of permission data on Alice's behalf has to be privacy-sensitive and stick to what's relevant to her. - Andrew's Shoebox endpoint would be handy about now, so we'd have a nice place to send the receipt. (Alice's AS could choose to host that endpoint for her.) Time for someone (in CIS WG? this one??) to sketch out that spec? - I've observed in the past that the AS has no way, strictly speaking, of knowing whether the client actually did gain access to a resource vs. just attempted it and appeared to succeed based on observation of RPT contents vs. policy. The Shoebox endpoint would nicely do for this plain purpose ("I gave them access per this authorization data"/"I didn't give them access per this authorization data") as well as the more sophisticated purpose ("I gave them access for reason X even though they had authorization data Y"/"I didn't give them access for reason A even though they had authorization data B"). - We could have model clauses that cover each of the four circumstances so that anyone who requires reporting of whatever combination could pull in the necessary clauses. Finally, if this is a viable approach, then indeed Allan is right, and our current clause talking about having to disallow access is all wet. :-) *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Tue, Dec 22, 2015 at 7:14 AM, Lisa Moon < lisa.moon@advocate-consulting.com> wrote:
Allan,
I don't know if this comment will be useful - but here goes.
Your final statement "My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions" exposes part of a much larger problem in consent management...namely, local interpretation of business rules related to privacy, etc.
Local interpretation creates a high degree of variance - making MANY rules difficult to operationalize. Keeping this in mind and finding a common standard, even at a basic technology level would help moderate the variance caused by local interpretation.
Lisa Moon Principal Consultant Advocate Consulting LLC (c) 952-913-7263 lisa.moon@advocate-consulting.com
On Mon, Dec 21, 2015 at 9:38 PM, Allan Foster <allan.foster@forgerock.com> wrote:
Folks, I am concerned about putting specific obligations on the RS and thus subjagating it to the AS.
Specifically to allow for Enterprise MAC with UMA participation, where the End user is a participant in the access control decision, but not the only participant.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>: Delegate-Protection* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> have mutually agreed to serve in these respective roles for each other, theResource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> to delegate protection services to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> for the set of protectable resources for which it represents this capability to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>, and to respect the authorization data that the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> has associated with an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> when the Resource Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_0.md> subsequently allows or disallows access by the Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> that presented that RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> .
My concern here is that it delegates "Protection services" to the AS, and this feels a little like an all or nothing. This might not be true in the case where the RO is only one party in the Access control decision.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md>: Respect-Permissions* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> have mutually agreed to serve in these respective roles for each other, the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> to disallow access by a Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> presenting an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> in all cases where the authorization data associated by the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> is insufficient for the access attempt..
The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases.
This has several implications. If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS. Since once it has an answer, it is obligated to deny. This implies that the RS cannot opt out once the request to the AS is made.
It feels a little bit like don't ask don't tell!
My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions.
Allan
-- Simplify Email: Email Charter <http://emailcharter.org/>
[image: ForgeRock Logo] *Allan Foster - ForgeRock * *VP Strategic Partner Enablement* *Location:*San Francisco *p:* +1.214.755.9218 *email:* <allan.foster@forgerock.com>allan.foster@forgerock.com *blogs:* blogs.forgerock.com/GuruAllan *Skype:* Call GuruAllan <http://is.gd/lWVfMG> *www:* www.forgerock.com *www:* www.forgerock.org
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
On Tue, Dec 22, 2015 at 12:18 PM, Eve Maler <eve@xmlgrrl.com> wrote:
<snip>
- Remember that the RPT that a client brought to the resource server associates that client, its requesting party, the authorization server, and that resource server; the RS may possibly have introspected it to reveal permissions (assume the default "bearer" token profile) that are associated with other resource owners, not just Alice. Any logging of permission data on Alice's behalf has to be privacy-sensitive and stick to what's relevant to her.
<snip>
How and why does the RPT reveal permissions associated with other resource owners? Isn't the interaction between RS and Client always in a specific RO context? Adrian
On Tue, Dec 22, 2015 at 7:14 AM, Lisa Moon < lisa.moon@advocate-consulting.com> wrote:
Allan,
I don't know if this comment will be useful - but here goes.
Your final statement "My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions" exposes part of a much larger problem in consent management...namely, local interpretation of business rules related to privacy, etc.
Local interpretation creates a high degree of variance - making MANY rules difficult to operationalize. Keeping this in mind and finding a common standard, even at a basic technology level would help moderate the variance caused by local interpretation.
Lisa Moon Principal Consultant Advocate Consulting LLC (c) 952-913-7263 lisa.moon@advocate-consulting.com
On Mon, Dec 21, 2015 at 9:38 PM, Allan Foster <allan.foster@forgerock.com
wrote:
Folks, I am concerned about putting specific obligations on the RS and thus subjagating it to the AS.
Specifically to allow for Enterprise MAC with UMA participation, where the End user is a participant in the access control decision, but not the only participant.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>: Delegate-Protection* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> have mutually agreed to serve in these respective roles for each other, theResource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> to delegate protection services to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> for the set of protectable resources for which it represents this capability to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>, and to respect the authorization data that the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> has associated with an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> when the Resource Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_0.md> subsequently allows or disallows access by the Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> that presented that RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> .
My concern here is that it delegates "Protection services" to the AS, and this feels a little like an all or nothing. This might not be true in the case where the RO is only one party in the Access control decision.
1. *Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md>: Respect-Permissions* For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> have mutually agreed to serve in these respective roles for each other, the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> to disallow access by a Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> presenting an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> in all cases where the authorization data associated by the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> is insufficient for the access attempt..
The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases.
This has several implications. If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS. Since once it has an answer, it is obligated to deny. This implies that the RS cannot opt out once the request to the AS is made.
It feels a little bit like don't ask don't tell!
My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions.
Allan
-- Simplify Email: Email Charter <http://emailcharter.org/>
[image: ForgeRock Logo] *Allan Foster - ForgeRock * *VP Strategic Partner Enablement* *Location:*San Francisco *p:* +1.214.755.9218 *email:* <allan.foster@forgerock.com>allan.foster@forgerock.com *blogs:* blogs.forgerock.com/GuruAllan *Skype:* Call GuruAllan <http://is.gd/lWVfMG> *www:* www.forgerock.com *www:* www.forgerock.org
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
You're right that the client presented the RPT in order to get access to a specific RO's "stuff", but technically (in the UMA sense), it doesn't strictly know that this is the case, and it's possible for its RPT to collect permissions that apply to the "stuff" that belongs to any of the ROs that use this RS. Core Sec 1.1.3 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#resource-api>: "An RPT binds a requesting party, the client being used by that party, the resource server at which protected resources of interest reside, and the authorization server that protects those resources. It is not specific to a single resource owner, though its internal authorization data components are likely to be bound in practice to individual resource owners, depending on the RPT profile in use." Core Sec 3.4.2 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#uma-bearer-token-profile> (part of the definition of what's returned when the RS introspects the token): "resource_set_id REQUIRED. A string that uniquely identifies the resource set, access to which has been granted to this client on behalf of this requesting party. The identifier MUST correspond to a resource set that was previously registered as protected." Even if the RPT contains lots of permission blocks for different resource owners, the resource server should be able to correlate the relevant resource set ID, for purposes of checking the client's access attempt, with its user -- the resource owner -- by virtue of the PAT it used to introspect the token. But it's theoretically possible that these resource set IDs, if badly constructed, all dumped to a big "comprehensive token contents" consent receipt, or correlated with badly protected PATs, could reveal a) the resource owner's identity used at the RS (none of the client/requesting party's business) and/or b) other resource owners at this resource owners' identities used at the same RS (also none of the client/requesting party's business). Other relevant spec snippets: Core Sec 8.1 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#rfc.section.8.1> (privacy consideration): "The authorization server comes to be in possession of resource set information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until authorization data is associated with its RPT. The more information about a resource set that is registered, the more risk of privacy compromise there is through a less-trusted authorization server." RSR Sec 5 <https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html#rfc.section.5> (privacy considerations): "The communication between the authorization server and resource server may expose personally identifiable information of a resource owner. The context in which this API is used SHOULD account for its own unique privacy considerations." (Back when we used to use PUT and client-side ID creation vs. POST and server-side ID creation, we used to have a lot of text about ensuring randomness in ID creation for privacy. But hopefully well-constructed random resource set IDs are now baked into the cake.) *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Tue, Dec 22, 2015 at 10:19 AM, Adrian Gropper <agropper@healthurl.com> wrote:
On Tue, Dec 22, 2015 at 12:18 PM, Eve Maler <eve@xmlgrrl.com> wrote:
<snip>
- Remember that the RPT that a client brought to the resource server associates that client, its requesting party, the authorization server, and that resource server; the RS may possibly have introspected it to reveal permissions (assume the default "bearer" token profile) that are associated with other resource owners, not just Alice. Any logging of permission data on Alice's behalf has to be privacy-sensitive and stick to what's relevant to her.
<snip>
How and why does the RPT reveal permissions associated with other resource owners? Isn't the interaction between RS and Client always in a specific RO context?
Adrian Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
I'm not sure I understand, but it sounds like this is not a problem as long as the RO specifies the AS for herself. In that case, it's up to the AS to implement pairwise pseudonymity somehow if it wants to protect the RO's identity from correlation by malicious RS or C's. How the AS creates a separate AS URI for each RS would be out-of-scope for UMA. Adrian On Tue, Dec 22, 2015 at 7:21 PM, Eve Maler <eve@xmlgrrl.com> wrote:
You're right that the client presented the RPT in order to get access to a specific RO's "stuff", but technically (in the UMA sense), it doesn't strictly know that this is the case, and it's possible for its RPT to collect permissions that apply to the "stuff" that belongs to any of the ROs that use this RS.
Core Sec 1.1.3 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#resource-api>: "An RPT binds a requesting party, the client being used by that party, the resource server at which protected resources of interest reside, and the authorization server that protects those resources. It is not specific to a single resource owner, though its internal authorization data components are likely to be bound in practice to individual resource owners, depending on the RPT profile in use."
Core Sec 3.4.2 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#uma-bearer-token-profile> (part of the definition of what's returned when the RS introspects the token): "resource_set_id REQUIRED. A string that uniquely identifies the resource set, access to which has been granted to this client on behalf of this requesting party. The identifier MUST correspond to a resource set that was previously registered as protected."
Even if the RPT contains lots of permission blocks for different resource owners, the resource server should be able to correlate the relevant resource set ID, for purposes of checking the client's access attempt, with its user -- the resource owner -- by virtue of the PAT it used to introspect the token. But it's theoretically possible that these resource set IDs, if badly constructed, all dumped to a big "comprehensive token contents" consent receipt, or correlated with badly protected PATs, could reveal a) the resource owner's identity used at the RS (none of the client/requesting party's business) and/or b) other resource owners at this resource owners' identities used at the same RS (also none of the client/requesting party's business).
Other relevant spec snippets:
Core Sec 8.1 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#rfc.section.8.1> (privacy consideration): "The authorization server comes to be in possession of resource set information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until authorization data is associated with its RPT. The more information about a resource set that is registered, the more risk of privacy compromise there is through a less-trusted authorization server."
RSR Sec 5 <https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html#rfc.section.5> (privacy considerations): "The communication between the authorization server and resource server may expose personally identifiable information of a resource owner. The context in which this API is used SHOULD account for its own unique privacy considerations."
(Back when we used to use PUT and client-side ID creation vs. POST and server-side ID creation, we used to have a lot of text about ensuring randomness in ID creation for privacy. But hopefully well-constructed random resource set IDs are now baked into the cake.)
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
On Tue, Dec 22, 2015 at 10:19 AM, Adrian Gropper <agropper@healthurl.com> wrote:
On Tue, Dec 22, 2015 at 12:18 PM, Eve Maler <eve@xmlgrrl.com> wrote:
<snip>
- Remember that the RPT that a client brought to the resource server associates that client, its requesting party, the authorization server, and that resource server; the RS may possibly have introspected it to reveal permissions (assume the default "bearer" token profile) that are associated with other resource owners, not just Alice. Any logging of permission data on Alice's behalf has to be privacy-sensitive and stick to what's relevant to her.
<snip>
How and why does the RPT reveal permissions associated with other resource owners? Isn't the interaction between RS and Client always in a specific RO context?
Adrian Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
In fact, I may have been way too privacy-paranoid about this, based on our previous "PUT" design for resource set ID registration/creation. Others who would like to do some security/privacy analysis, check me on this thinking... - Each client of the AS's protection API -- that is, each RS -- asks for a resource set to be registered with a POST request. The RS isn't in control of the ID assigned to the resource set. - The server side -- the AS -- will, in response to the POST, create a strongly pseudorandom rsid for each resource set registered, in an identifier namespace across the *entire* universe of RS's (and their resource owners) using that AS. - An RS can map the resource set IDs to its specific service users (resource owners). It does this through the PAT it used when using the RSR endpoint -- that is, registering (creating, updating, reading, listing, deleting) resource sets. - The AS can also, of course, map the resource set IDs to the relevant resource owners through the PAT so that it can provide protection to those resource sets. - However, interestingly -- due to UMA's usage of OAuth in the AS/RS coupling -- it doesn't know what identity the resource owner uses to access ("log in to") the RS, and the RS doesn't know what identity the resource owner uses to access the AS. :-) So, let's imagine the resource set IDs get out into the wild -- hacked by Anonymous and published widely or something. :-) How much damage is done? Unless the RS is malicious and actively correlates this information with the PATs it has, or has incredibly bad I'm not sure I can see a way. *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Tue, Dec 22, 2015 at 5:02 PM, Adrian Gropper <agropper@healthurl.com> wrote:
I'm not sure I understand, but it sounds like this is not a problem as long as the RO specifies the AS for herself. In that case, it's up to the AS to implement pairwise pseudonymity somehow if it wants to protect the RO's identity from correlation by malicious RS or C's. How the AS creates a separate AS URI for each RS would be out-of-scope for UMA.
Adrian
On Tue, Dec 22, 2015 at 7:21 PM, Eve Maler <eve@xmlgrrl.com> wrote:
You're right that the client presented the RPT in order to get access to a specific RO's "stuff", but technically (in the UMA sense), it doesn't strictly know that this is the case, and it's possible for its RPT to collect permissions that apply to the "stuff" that belongs to any of the ROs that use this RS.
Core Sec 1.1.3 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#resource-api>: "An RPT binds a requesting party, the client being used by that party, the resource server at which protected resources of interest reside, and the authorization server that protects those resources. It is not specific to a single resource owner, though its internal authorization data components are likely to be bound in practice to individual resource owners, depending on the RPT profile in use."
Core Sec 3.4.2 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#uma-bearer-token-profile> (part of the definition of what's returned when the RS introspects the token): "resource_set_id REQUIRED. A string that uniquely identifies the resource set, access to which has been granted to this client on behalf of this requesting party. The identifier MUST correspond to a resource set that was previously registered as protected."
Even if the RPT contains lots of permission blocks for different resource owners, the resource server should be able to correlate the relevant resource set ID, for purposes of checking the client's access attempt, with its user -- the resource owner -- by virtue of the PAT it used to introspect the token. But it's theoretically possible that these resource set IDs, if badly constructed, all dumped to a big "comprehensive token contents" consent receipt, or correlated with badly protected PATs, could reveal a) the resource owner's identity used at the RS (none of the client/requesting party's business) and/or b) other resource owners at this resource owners' identities used at the same RS (also none of the client/requesting party's business).
Other relevant spec snippets:
Core Sec 8.1 <https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#rfc.section.8.1> (privacy consideration): "The authorization server comes to be in possession of resource set information that may reveal information about the resource owner, which the authorization server's trust relationship with the resource server is assumed to accommodate. However, the client is a less-trusted party -- in fact, entirely untrustworthy until authorization data is associated with its RPT. The more information about a resource set that is registered, the more risk of privacy compromise there is through a less-trusted authorization server."
RSR Sec 5 <https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html#rfc.section.5> (privacy considerations): "The communication between the authorization server and resource server may expose personally identifiable information of a resource owner. The context in which this API is used SHOULD account for its own unique privacy considerations."
(Back when we used to use PUT and client-side ID creation vs. POST and server-side ID creation, we used to have a lot of text about ensuring randomness in ID creation for privacy. But hopefully well-constructed random resource set IDs are now baked into the cake.)
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
On Tue, Dec 22, 2015 at 10:19 AM, Adrian Gropper <agropper@healthurl.com> wrote:
On Tue, Dec 22, 2015 at 12:18 PM, Eve Maler <eve@xmlgrrl.com> wrote:
<snip>
- Remember that the RPT that a client brought to the resource server associates that client, its requesting party, the authorization server, and that resource server; the RS may possibly have introspected it to reveal permissions (assume the default "bearer" token profile) that are associated with other resource owners, not just Alice. Any logging of permission data on Alice's behalf has to be privacy-sensitive and stick to what's relevant to her.
<snip>
How and why does the RPT reveal permissions associated with other resource owners? Isn't the interaction between RS and Client always in a specific RO context?
Adrian Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
Hi Lisa, This is a really good point. We have been working on an approach for a common consent record format that we call the Minimum Viable Consent Receipt. The aim with this specification is to provide the common components to consent in a framework that is easily localised. The aim I think here is to use this as a base profile for consent and then to develop further from there. We are currently on v0.7 of this specification and aim to have a project kit for making consent profiles that dee with the variability of consent notice requirements which can be operationalised with UMA. To find out more about about the spec, please take a look at the latest draft <http://openconsent.github.io/ConsentReceipt/specification/KI-CISWG-Editorial-MVCR-V0_7-20150907.doc>. We also have a website going up very soon with a demo api and some additional resources via GitHub. Kind Regards, Mark -PS. Eve, just saw your email, will have a look and respond when I get the chance.
On 22 Dec 2015, at 10:14, Lisa Moon <lisa.moon@advocate-consulting.com> wrote:
Allan,
I don't know if this comment will be useful - but here goes.
Your final statement "My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions" exposes part of a much larger problem in consent management...namely, local interpretation of business rules related to privacy, etc.
Local interpretation creates a high degree of variance - making MANY rules difficult to operationalize. Keeping this in mind and finding a common standard, even at a basic technology level would help moderate the variance caused by local interpretation.
Lisa Moon Principal Consultant Advocate Consulting LLC (c) 952-913-7263 lisa.moon@advocate-consulting.com <mailto:lisa.moon@advocate-consulting.com>
On Mon, Dec 21, 2015 at 9:38 PM, Allan Foster <allan.foster@forgerock.com <mailto:allan.foster@forgerock.com>> wrote: Folks, I am concerned about putting specific obligations on the RS and thus subjagating it to the AS.
Specifically to allow for Enterprise MAC with UMA participation, where the End user is a participant in the access control decision, but not the only participant.
Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>: Delegate-Protection For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> have mutually agreed to serve in these respective roles for each other, theResource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md> to delegate protection services to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> for the set of protectable resources for which it represents this capability to the Authorizing Party <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorizing_Party_0.md>, and to respect the authorization data that the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> has associated with an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> when the Resource Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_0.md> subsequently allows or disallows access by the Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> that presented that RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md>. My concern here is that it delegates "Protection services" to the AS, and this feels a little like an all or nothing. This might not be true in the case where the RO is only one party in the Access control decision. Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md>-Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md>: Respect-Permissions For the period that the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> and Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> have mutually agreed to serve in these respective roles for each other, the Resource Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Resource_Server_Operator_0.md> gains an obligation to the Authorization Server Operator <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_Operator_0.md> to disallow access by a Client <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Client_0.md> presenting an RPT <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Abbreviation/RPT_0.md> in all cases where the authorization data associated by the Authorization Server <http://www.commonaccord.org/index.php?action=source&file=GH/KantaraInitiative/UMA-Text/Terminology/Term/Authorization_Server_0.md> is insufficient for the access attempt.. The RS is obligated to dissallow access in the AS cannot provide sufficient rights - in all cases.
This has several implications. If the RS has additional business rules whereby a party might get access even tho they are not UMA authorized, (break glass?) (Admin or Help Desk) The RS HAS to determine if a user is a special user BEFORE making the request to the AS. Since once it has an answer, it is obligated to deny. This implies that the RS cannot opt out once the request to the AS is made.
It feels a little bit like don't ask don't tell!
My Concern is that the RS is ALWAYS the final arbitrator of access control, whether UMA, DAC or MAC. It should be able to modify its behavior based on local business rules and exceptions.
Allan
-- Simplify Email: Email Charter <http://emailcharter.org/>
Allan Foster - ForgeRock VP Strategic Partner Enablement Location:San Francisco p: +1.214.755.9218 <tel:%2B1.214.755.9218> email: <mailto:allan.foster@forgerock.com>allan.foster@forgerock.com <mailto:allan.foster@forgerock.com> blogs: blogs.forgerock.com/GuruAllan <http://blogs.forgerock.com/GuruAllan> Skype: Call GuruAllan <http://is.gd/lWVfMG> www: www.forgerock.com <http://www.forgerock.com/> www: www.forgerock.org <http://www.forgerock.org/>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
participants (5)
-
Adrian Gropper -
Allan Foster -
Eve Maler -
Lisa Moon -
smarthart