Francesca Palombini <[email protected]> wrote: mcr> Is there an assumption that the access rights(T2) >= access mcr> rights(T1)?
> FP: No. But at the same time if access rights(T2) is a subset of access
> rights(T1), then there is no point in the client requesting T2 from the
> AS... These could be a disjoint sets of access rights.
There are some cases here.
T2 is a superset of T1. Everything makes sense.
T2 is a subset of T1. I to think about this.
T2 is complete disjoint of T1.
T2 is the union of a subnet of T1, and some new set of rights T2B.
That is, partial overlap, but T2 not superset of T1.
> FP: As currently defined in the document, yes, Sec1 ends up being
> deleted as soon as Sec2 is validated (i.e. a request is correctly
> decrypted by the receiving endpoint using Sec2). If T1 and T2 do
> different things and the client wants to (and is allowed to - T1 is not
> expired or revoked for some reason) keep T1 alive, then we are not in
> the case of "update of access rights", i.e. the case where T2 replaces
> T1. My "Final point" was to cover exactly the case you mention, where
> T1 and T2 are used to derive 2 different security contexts, where the
> RS does not realize they come from the same Client. It is up to the AS
> to make sure that T1 and T2 are disjoints: why would the AS even send 2
> different tokens that cover part of or the entire same scope at the
> same RS to the same client? By the way, if it is not already in there,
> I think that that is another excellent consideration point for the Ace
> framework.
Client could be vaguely "multi-tenant", having a common security substrate.
That's why there could be 2 different tokens.
Think intelligent speakers that can learn "skills".
One skill operates the stereo, and wants to adjust living room lighting for
appropriate mood. (/me deletes off-colour joke about South Park)
The other skill is the sleep aid, and just wants to dim all lights to near
darkness, but should not operate stereo.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
