[Wg-uma] Requirements for pre-authn and/or pre-authz of Requesters?

Eve Maler eve at xmlgrrl.com
Mon Oct 19 19:46:40 EDT 2009


In reviewing the meeting notes from last time:

http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2009-10-15

...I thought it might be a good idea to start an email thread on the  
"mass authorization" idea represented by Christian's distributed- 
services scenario, so we can be prepared to discuss it next time:

http://kantarainitiative.org/confluence/display/uma/distributed_services_scenario

The mockup screenshot here is particularly interesting, but I feel a  
need to dig into it more to really understand.  What's an example of  
"New Service"?  Does it represent another *person* in your life whom  
you want to authorize to see your various activity streams, or just  
another *service* that you yourself use?  If the latter, what would it  
do with a set of authorizations for access (vs. more selective one-by- 
one authorizations) if the API for each of the Hosts is wildly  
different?  What do you as the Authorizing User gain by doing a mass  
authorization -- or is this just for the efficiency/performance of the  
Requester?

If we can identify a solid real-world scenario here, then I suspect we  
can untangle if we have a new requirement here.  As stated in the  
minutes:

"So do we have a requirement to pre-authorize access before the  
Requester ever hits a Host? Or is it a requirement to pre-authenticate  
particular Requesters (like the service called "New Service" in  
Christian's wireframe diagram)?"

(BTW, the revocation of access by a single Requester, which is  
mentioned at the end of the scenario, is something we imagined pretty  
early on.  I don't *think* we need to consider any changes to the  
ProtectServe sketch to achieve it, because the user can go into their  
AM anytime and tweak settings, resulting in authorization being denied  
on subsequent access attempts.  Outside of the protocol, AM services  
could compete on how granular their policy-setting apparatus is, e.g.  
per Requester, per Host, per individual resource, per group of  
Requesters, etc.)

	Eve

Eve Maler
eve at xmlgrrl.com
http://www.xmlgrrl.com/blog


More information about the Wg-uma mailing list