-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What resource directory attributes are used to communicate AS to be used? #120
Comments
We haven't considered that point yet. I would expect that you could define resource types in RD that hold security information about a resource. I noticed you looked into the RD draft, do you have any suggestions? |
I don't know that this is a good idea or not, I understand why you want to do it, but putting an additional "as:URL" into every such resource does not seem to be a good idea for sizing as most people don't want it most of the time. Not sure that doing the RD lookup is a correct answer and if there is more than one AS in the system them you cannot just assume that getting the list of AS endpoints is going to be the right thing to do either. |
This clearly warrants more thought, and input from someone with better knowledge of the RD RFC. I'll reach out to CoRE. |
Ask Christian Amsüss for feed-back |
The RD should primarily contain data that could just as well be expressed in .well-known/core. When web links are concerned, neither per se directly allows broad-matching statements like "For all resources that match X, it is true that X is authorization-managed-by ". For individual resources, that can easily be stated; Carsten's example ( (On a side note, and if that's not already set in stone, it might be worth considering that scheme for error messages as well. There'd be no need for a dedicated application/ace+cbor format if the response to an underauthorized request could be "4.01, Content-Format:application/link-format, payload: If such a link expresses what you want to express, there remain two challenges:
|
Ludwig is going to be off email for the next couple of weeks.
|
Ad transitive expressions: We have no expression for wildcards or for-all-resources-here statements in link-format. We could of course mint a relation that says "From a My proposal is therefore to use other statements about the resources and link via those. We could mint a new link relation, like "shepherds", so that we'd publish
("The local dog shepherds both /temp and /hum, and gets-its-sheep-auth-managed-by that AS"). and then the client would first look up whom /temp is shepherded by (/local-dog), and then use its knowledge that "if X is shepherded by /local-dog and /local-dog has a sheperd-auth-managed-by address, that address provides tokens for X". Now that only really pays off if the statements about shepherding and the local dog are cheap in the RD and .well-known/core. Thus, we don't introduce a local dog, but use the "hosts" relation to the host's
which expands by the default values to roughly
("There's a thing that hosts both /temp and /hum, and it gets-all-its-hosted-resources-managed-by that AS"). and thus gives us a clean two-step statement about any resource announced by the host, without using any terminology like "on the same network address" that would lead to URIs being manipulated in unbefitting ways. |
Just so I can make sure that I am clear on this, it could be expanded as the follows
This would be how I could have a second resource of the same ilk which is managed by somebody else. |
Precisely. The question remains open whether we'll often want to group things to warrant having a dedicated |
I would agree that doing grouping-by-hosts is sufficient for the present time. |
This should go into a separate draft. Closing. |
Section 5.1 says that you can asked the RD rather than the resource to get the AS information, where is this placed in the RD? Is it assumed that only one AS is found? Are there resource types which correspond to an AS?
The text was updated successfully, but these errors were encountered: