sbp commented on issue #242: URL: https://github.com/apache/tooling-trusted-releases/issues/242#issuecomment-3597088211
In [conversation on Slack](https://the-asf.slack.com/archives/C086X8CKEMB/p1764601240290289?thread_ts=1764598603.707769&cid=C086X8CKEMB) with @potiuk, we realised that this issue should be extended to cover authorisation by protocol as well as by role. In other words, this issue already asks: considering what role somebody has at the ASF, what actions should they be allowed to perform? In our discussion, however, we realised that we need to extend this to ask: for each action that users are allowed to perform, what should be the authentication and authorisation (AA) protocol requirements? To make this even clearer, consider the following rough hierarchy of AA methods: * MFA with hardware passkeys * MFA with any passkeys * MFA with TOTP or passkeys * DPoP with pre-computation mitigation * DPoP without pre-computation mitgation * Bearer tokens with refresh * Self-contained tokens such as JWT For each API action allowed on ATR, we should consider which level or tier of AA method we require at a minimum. We don't want a situation where e.g. we require MFA with hardware passkeys to perform an action on the web interface, but we allow users to use a JWT to do the same thing through the API. But also we don't want a situation where we classify an action too high or too low, even if it's consistent. By performing this analysis, it will help us to better understand which of these methods we need to implement. This in turn will help us to resolve issues such as #335. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
