[gnso-rds-pdp-wg] Taxonomy: Authorization and Authentication

Mark Svancarek marksv at microsoft.com
Wed Jul 20 23:43:31 UTC 2016


thx

From: Lisa Phifer [mailto:lisa at corecom.com]
Sent: Wednesday, July 20, 2016 2:11 PM
To: Mark Svancarek <marksv at microsoft.com>; gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] Taxonomy: Authorization and Authentication

Mark,

One more "A" term to add to the mix: Accreditation.

The EWG recommended authentication based on credentials issued to accredited RDS users. While basic registration data would remain publicly available, the rest would become accessible only to users who authenticated themselves, stated a purpose, and agreed to be held accountable for appropriate use. Only the requested data elements which policy authorized for that user+purpose would then be disclosed (for example, in an RDAP response).

This raised very tough questions around how RDS users might be accredited, who could realistically accredit them, and (for each purpose and type of user) which data elements they might be authorized to access. You can find thinking on this in Section IV(c) of the EWG's report and in the EWG's Registration Directory Service User Accreditation RF<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fcommunity.icann.org%2fdownload%2fattachments%2f45744698%2fEWG%2520USER%2520ACCREDITATION%2520RFI%2520SUMMARY%252013%2520March%25202014.pdf&data=01%7c01%7cmarksv%40microsoft.com%7caccf9fb2e08b4cc242cc08d3b0e2729f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ZYwP36JTkSCP0RFbHcaNkzWdyESaL7HIplvbLoJI78U%3d>I which gathered technical input. Ultimately, the EWG flagged "accreditation bodies and policies for RDS user communities" as an issue needing to be more fully addressed (pg 121).

I thought you might find this past work of interest - in particular, the notion that RDS authorization might depend on more than who you are, including factors such as stated purpose, whether you have been accredited for that purpose, and access policies for each data element you request.

Best, Lisa



At 12:19 PM 7/20/2016, Mark Svancarek via gnso-rds-pdp-wg wrote:

Content-Language: en-US
Content-Type: multipart/alternative;
         boundary="_000_CO2PR03MB2135BFFF802A5C6DC446A4ECD1080CO2PR03MB2135namp_"

We use these terms a lot and we also use phrases which mean things similar to these terms.  I'd like to explicitly define them and I encourage all to use them as defined so as to be clear and concise.  I think it will help.

*         Authentication = based on the credentials you have shared (e.g. user name, password, SMS response, smart card, etc.), we know who you are
*         Authorization = based on who you are, you are allowed to access specific resources and those resources only, i.e. we define what you can do

If you want to be extra-nerdy:

*         Authentication can be abbreviated "authN"
*         Authorization can be abbreviated "authZ"
*         Authentication and Authorization together can be referenced as "authX"

I hope that's useful.

/marksv
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7caccf9fb2e08b4cc242cc08d3b0e2729f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=FnD1xYr1ocHWLdN%2f58YU9NiNKeJ4VyzSadE5QMKprKU%3d>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160720/9130ea8a/attachment.html>


More information about the gnso-rds-pdp-wg mailing list