<html>
<body>
Mark,<br><br>
One more "A" term to add to the mix: Accreditation. <br><br>
The EWG recommended authentication based on credentials issued to
<i>accredited RDS users</i>. While basic registration data would remain
publicly available, the rest would become accessible only to users who
authenticated themselves, stated a purpose, and agreed to be held
accountable for appropriate use. Only the requested data elements which
policy authorized for that user+purpose would then be disclosed (for
example, in an RDAP response).<br><br>
This raised very tough questions around how RDS users might be
accredited, who could realistically accredit them, and (for each purpose
and type of user) which data elements they might be authorized to access.
You can find thinking on this in Section IV(c) of the EWG's report and in
the EWG's
<a href="https://community.icann.org/download/attachments/45744698/EWG%20USER%20ACCREDITATION%20RFI%20SUMMARY%2013%20March%202014.pdf">
Registration Directory Service User Accreditation RF</a>I which gathered
technical input. Ultimately, the EWG flagged "accreditation bodies
and policies for RDS user communities" as an issue needing to be
more fully addressed (pg 121).<br><br>
I thought you might find this past work of interest - in particular, the
notion that RDS authorization might depend on more than who you are,
including factors such as stated purpose, whether you have been
accredited for that purpose, and access policies for each data element
you request.<br><br>
Best, Lisa<br>
<br><br>
<br>
At 12:19 PM 7/20/2016, Mark Svancarek via gnso-rds-pdp-wg wrote:<br>
<blockquote type=cite class=cite cite="">Content-Language: en-US<br>
Content-Type: multipart/alternative;<br>
<x-tab> </x-tab>
boundary="_000_CO2PR03MB2135BFFF802A5C6DC446A4ECD1080CO2PR03MB2135namp_"<br>
<br>
We use these terms a lot and we also use phrases which mean things
similar to these terms. Id like to explicitly define them and I
encourage all to use them as defined so as to be clear and concise.
I think it will help.<br>
<br>
· <b>Authentication</b> =
based on the credentials you have shared (e.g. user name, password, SMS
response, smart card, etc.), we know<b> <u>who you are<br>
</u></b>·
<b>Authorization</b> = based on who you are, you are allowed to access
specific resources and those resources only, i.e. we define <b><u>what
you can do<br>
</u></b> <br>
If you want to be extra-nerdy:<br>
<br>
· Authentication can be
abbreviated <b>authN</b><br>
· Authorization can be
abbreviated <b>authZ</b><br>
· Authentication and
Authorization together can be referenced as <b>authX</b><br>
<br>
I hope thats useful.<br>
<br>
/marksv<br>
_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
gnso-rds-pdp-wg@icann.org<br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" eudora="autourl">
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></blockquote>
</body>
</html>