Re: [Geopriv] RE: [Simple] Changes in xcap-auth

From: hardie@qualcomm.com
Date: Fri Nov 07 2003 - 16:10:30 EST

At 3:21 PM -0500 11/07/2003, Jonathan Rosenberg wrote:
>
>To summarize (correct me if I am wrong), I think your suggestion was that exceptions can be handled by expanding the lists associated with the domain. As such, even though the user sees an exception rule in the UI, the underlying system pushes a permission with everyone in it.

I'm saying that's the protocol's view of the permission and the structure in
which they're encoded and sent. How the underlying system store the
permissions is, I think, a local optimization.

>My concern is that I believe this will be very difficult to manage. It requires the users to have access to the set of users in the domain from which the exceptions are being specified. That list is undoubtedly dynamic, and potentially pretty large. When a new employee joins the company, everyone would have to update their permissiosn (or have their agents do it automatically somehow), and similarly when someone leaves. The result will be odd behavior for users, where people that a user believes to have permission, actually doesnt.
>

This gets one of the points I was trying to make earlier; the difficulty here depends
on how the group data is structured. Let's assume that we have a very wide, flat
identifier, like "user@qualcomm.com"; granting to domain "qualcomm.com" with an
except on the basis of that identifier would be tough. If the identifiers were not
email-like, though, but based on group identifiers that were more distributed,
then granting them is slightly more tedious, but the except clauses become
easier--as it is a flat grant to groups 1-100, and increased grant to groups 1-9 and 11-100,
an increased grant to member 1,3,4 of group 10, and a failure to grant to member 2
of group 10. This does mean that adding to member 5 to group 10 creates a
synchronization problem. There are ways around that, and they are tedious and
potentially flakey.

You don't need to use them, though, unless you are doing exception based
processing. If this is very common, we may need to change our view of what is
critical. In the short term, I believe that getting to the point where the user can grant
permissions on a "domain" (not necessarily DNS label) is considerably beyond
where we are today, and I think a lot of the real need in GeoPriv is handled
by the explicit grant case.

Doing exception based processing might be possible, but it seems to put a
burden on the processor that requires it to ensure it has processed
*all rules* before it can proceed (perhaps a better way to put this is that it has
processed all "includes" before it can proceed). If it does not process all rules,
there seems to be a not trivial risk that user@qualcomm.com (a.k.a. Member 2 of group 10)
gets data that the privacy policy doesn't allow. That's simple not okay in the
GeoPriv view of the world.

I hope this is at least somewhat more clear, and I look forward to continuing
the discussion when we can scribble on a whiteboard/piece of paper.
                                regards,
                                        Ted

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Fri Nov 7 16:11:23 2003

This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:24 EST