On 2020-07-18, at 00:21, Benjamin Kaduk <[email protected]> wrote: > > Refreshing my memory of the WG charter, it seems like this can be in scope, > but we should be sure to consider what analogues already exist in > non-constrained systems, and whether we are in fact creating something > generally new and broadly useful.
Good point. The simplistic model of AIF caters to servers where authorization can be described in terms of static resources (now also resources created from static resources) and CoAP methods that can be performed on them. CoAP methods can be related to HTTP methods. But I would expect most big-Web applications to have a more sophisticated authorization model, e.g., based on server-side information (user information in a database etc.). E.g., an OAuth AS in the big Web wouldn’t say “give C access to these 10537 photos” and list them all, but “give C access to Peter’s photos”. So I think the design of AIF is a bit specialized to devices where resources mostly correspond to physical traits of those devices that don’t go away or come anew, with action resources (which are now handled with dynamic permissions) maybe an exception. Grüße, Carsten _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
