[OAUTH-WG] Any comment on the use cases based on draft-zhou-oauth-owner-auth?
zhou.sujing@zte.com.cn Wed, 05 December 2012 08:32 UTC
Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9CA21F8BFE for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2012 00:32:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.834
X-Spam-Level:
X-Spam-Status: No, score=-96.834 tagged_above=-999 required=5 tests=[AWL=-0.239, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_23=0.6, J_CHICKENPOX_38=0.6, J_CHICKENPOX_48=0.6, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1TNGZOMAAZK for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2012 00:32:10 -0800 (PST)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 1D63A21F8CA4 for <oauth@ietf.org>; Wed, 5 Dec 2012 00:32:09 -0800 (PST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id 1728012841A8; Wed, 5 Dec 2012 16:33:51 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id qB58VktZ040925; Wed, 5 Dec 2012 16:31:47 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <OF8FBFA845.2E841A64-ON48257ACA.00204DC5-48257ACA.002063A4@LocalDomain>
To: "oauth@ietf.org WG" <oauth@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF7C9A55E8.A9C213CF-ON48257ACB.002EE450-48257ACB.002EF7A1@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Wed, 05 Dec 2012 16:31:39 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2012-12-05 16:31:45, Serialize complete at 2012-12-05 16:31:45
Content-Type: multipart/alternative; boundary="=_alternative 002EF7A148257ACB_="
X-MAIL: mse02.zte.com.cn qB58VktZ040925
Subject: [OAUTH-WG] Any comment on the use cases based on draft-zhou-oauth-owner-auth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2012 08:32:14 -0000
ZhouSuJing00132831/user/zte_ltd 写于 2012-12-04 13:52:30: > How about the following use cases: > 1. Direct Delegation > > Description: > > Company GoodPay prepares the employee payrolls for the company > GoodWork. In order to do that the application at www.GoodPay.example > gets authenticated access to the employees' attendance data stored at > www.GoodWork.example. > > Pre-conditions: > > o The application at www.GoodPay.example has obtained an > authentication delegation from a party that is trusted by the > application at www.GoodWork.example > > o The scope of the access by the application at www.GoodPay.example > to the data stored at www.GoodWork.example has been defined > > o The application at www.GoodPay.example is not capable of validating > its delegation. > > Post-conditions: > > A successful procedure results in the application at > www.GoodPay.example receiving an access token after authenticating to > the authorization or the application running at www.GoodWork. > example by presenting an > delegation. > > Requirements: > > o Authentication of the application at www.GoodPay.example to the > authorization server or the application at www.GoodWork. > example is required > > o The authorization or the application running at www.GoodWork. > example must be capable of > validating delegation presented by the application running at > www.GoodPay.example > > > > 2. Proxy delegation > > Description: > > Alice has her financial data stored at a financial company www. > financial.com, her lawyer needs to > obtain authenticated access to some of her financial data to run > applications at www.lawyer.example. > Alice and the lawyer have rather long term trust relationship, > but still Alice is not willing to leak her secret credential to the > > lawyer. The applications at www.lawyer.example may change over the > time, Alice is not willing to be bothered by generating assertion > each time a new application comes out. > > Pre-conditions: > > o Alice has a secret private key and corresponding public key > o Alice could generate a proxy private key for her lawyer > o Lawyer could generate proxy signature based on his proxy > private key for any application at www.lawyer.examplethat is in the > > scope (the scope could be as broad as any application at the website > www.lawyer.example) of the proxy private key. > > Post-conditions: > > A successful procedure results in the application at > www.lawyer.examplereceiving an access token after presenting a > proxy signature to > the authorization server specified by Alice. > > Requirements: > > o Authentication of the application at www.lawyer.exampleto the > application at www.financial.example is required > > o The authorization server must be capable of > validating proxy signature presented by the application running at > www.lawyer.example > > John Bradley <ve7jtb@ve7jtb.com> 写于 2012-12-03 21:17:38: > > > That may relate more to the proof of possession discussion. > > > > You may want to submit that as a use case. > > > > John B. > > On 2012-12-03, at 6:01 AM, zhou.sujing@zte.com.cn wrote: > > > > > > > > And another difference is my use case could be that "assertion" be > > generated sequentially by resource owner and client. > > For example, resource owner delegates a client to generate signature > > on behalf of it, client generates a signature using the private > key of itself, > > which is called proxy signature in cryptography. > > > > > > > > > My use case is indeed similar to assertion flow "section 6.3. > > > Client Acting on Behalf of a User". > > > Differences are: > > > 1. if my use case is carried out in assertion framework, "pricipal" > > > should be client, while assertion document does not > > > include client as an option when client is acting on behalf of a > > > user(resource owner), it says " an authorized accessor for which the > > > access token is being requested (typically the resource owner, or > > > an authorized delegate)." > > > 2. if my use case is carried out in assertion framework, "issuer" > > > should be resource owner, while assertion document only includes > > > client and token service > > > > > > In my use case the "assertion" is more like a private output, while > > > in assertion flow "assertion " is generated by a thrid party token > > > service or by client itself. > > > > > > Nat Sakimura <sakimura@gmail.com> > > > 2012-12-03 14:44 > > > > > > 收件人 > > > > > > zhou.sujing@zte.com.cn > > > > > > 抄送 > > > > > > "oauth@ietf.org WG" <oauth@ietf.org> > > > > > > 主题 > > > > > > Re: Re: [OAUTH-WG] Hi,any comment on draft-zhou-oauth-owner-auth? > > > > > > Your usecase sounds a little bit like the assertion flow. > > > The RO issues an assertion and the rest goes. > > > Is there reasons that an assertion flow cannot do? > > > > > > Nat > > > > > On Mon, Dec 3, 2012 at 3:35 PM, <zhou.sujing@zte.com.cn> wrote: > > > my use case(RO-initiated delegation): > > > -I deposit my child(precious resource) at kindergarden(Resource Server) > > > -I delegate a few persons,e.g., grandparents of my child, to pick up > > > my child at the kindergarden > > > -when someone tries to take him outside of the kindergarden, the > > > teacher will ask him/her to show my delegation > > > statement, no statement, no taking my child. > > > > > > > > > > > -- > > > Nat Sakimura (=nat) > > > Chairman, OpenID Foundation > > > http://nat.sakimura.org/ > > > @_nat_en _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth