[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Credential DELETE Operation

To: "'stephen.farrell@xxxxxxxxxxxx'" <stephen.farrell@xxxxxxxxxxxx>
Subject: RE: Credential DELETE Operation
From: "Richards, Gareth" <GRichards@xxxxxxxxxxxxxxx>
Date: Thu, 19 Dec 2002 14:13:34 -0000
Cc: ietf-sacred@xxxxxxx
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Sender: owner-ietf-sacred@xxxxxxxxxxxx

Stephen,

OK, I accept that it is too late for this update to introduce a new request
type.  

However, there is the problem with the schema which I believe prevents the
current protocol from working and so I think it needs to be changed.  

The current definition of CredentialType is

      <complexType name="CredentialType"> 
      <sequence> 
       <element name="CredentialSelector" type="string"/> 
       <element name="LastModified" type="dateTime"/> 
       <element name="Payload" type="ds:KeyInfoType"/> 
       <element name="TimeToLive" type="string" minOccurs="0"/> 
       <element ref="sacred:ProcessInfo" minOccurs="0"/> 
       <element ref="sacred:ClientInfo" minOccurs="0"/> 
      </sequence> 
      <attribute name="Delete" type="string" use="optional"/> 
     </complexType> 

This does not allow a Credential to not have a Payload as required in an
UploadRequest to delete the named credentials.  

I think that it needs to be changed to

     <complexType name="CredentialType"> 
      <sequence> 
       <element name="CredentialSelector" type="string"/> 
       <element name="LastModified" type="dateTime" /> 
       <element name="Payload" type="ds:KeyInfoType" minOccurs="0"/> 
       <element name="TimeToLive" type="string" minOccurs="0"/> 
       <element ref="sacred:ProcessInfo" minOccurs="0"/> 
       <element ref="sacred:ClientInfo" minOccurs="0"/> 
      </sequence> 
      <attribute name="Delete" type="string" use="optional"/> 
     </complexType> 

This would only require the CredentialSelector and LastModified.
> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@xxxxxxxxxxxx]
> Sent: 19 December 2002 12:16
> To: Richards, Gareth
> Cc: ietf-sacred@xxxxxxx
> Subject: Re: Credential DELETE Operation
> 
> 
> 
> Gareth,
> 
> I do have some sympathy with this approach, but its somewhat late
> in the day (for this rev of the I-D) to be making such a bigish 
> change given that we do have a working protocol (I don't think 
> you're saying it doesn't work as is) and don't have text for 
> the suggested change.
> 
> So I'd be against making this change right now.
> 
> During the last-call of the protocol draft (next rev 
> hopefully today!) 
> you can of course suggest this change *with specific text* 
> that implements 
> it (and I'd suggest waiting to base your text on the -05 I-D).
> 
> At that stage we can take it on board or not, depending on the usual
> things...
> 
> Is that ok?
> 
> Stephen.
> 
> "Richards, Gareth" wrote:
> > 
> > In the current ID, credentials are deleted using the UploadRequest.
> > 
> > According to section 2.2.1:
> > 
> > a) If the UploadRequest contains no Credential and the UploadRequest
> > contains a "Delete="yes"" attribute, then the all the 
> credentials associated
> > with that account are deleted.
> > 
> > b) If the new credential from the UploadRequest contains no 
> PayLoad field
> > and the new credential has a "Delete="yes"" attribute, then 
> the (one and
> > only) "matching" credential is deleted.
> > 
> > One minor point is that in the current schema the Payload 
> is not an optional
> > element in the CredentialType and this appears to be 
> required to allow the
> > second delete to occur.
> > 
> > However, it may be simpler to implement the DELETE 
> operation described in
> > Section 3.3 of the framework document with a separate 
> DeleteRequest rather
> > than overloading the UploadRequest in the way described.  
> One possibility
> > would be for the DeleteRequest PDU to be either empty or contain an
> > CredentialSelector and optional LastModified.  If it is 
> empty then it is a
> > request to delete all credential otherwise it is a request 
> to delete a
> > specific credential.
> > 
> > This would have a number of advantages:
> > 
> > 1) There would be no need to have a Delete attribute in the 
> CredentialType.
> > 
> > 2) There would be no need to have an optional Payload since 
> the only time a
> > Credential can meaningfully not contain a Payload is if the 
> Delete attribute
> > is set to "yes" and it is contained in an UploadRequest.
> > 
> > 3) The UploadRequest PDU could be simplified by removing the Delete
> > attribute and making the Credential mandatory.
> > 
> > 4) The conditions on the use UploadRequest given in section 
> 2.2.1 would be
> > simplified.
> 
> -- 
> ____________________________________________________________
> Stephen Farrell         				   
> Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> 39 Parkgate Street,                     fax: +353 1 881 7000
> Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
> Ireland                             http://www.baltimore.com
>

Follow-Ups:
- Re: Credential DELETE Operation
  - From: Stephen Farrell

Prev by Date: Re: Compound authentication "issue"
Next by Date: Re: Credential DELETE Operation
Previous by thread: Re: Credential DELETE Operation
Next by thread: Re: Credential DELETE Operation
Index(es):
- Date
- Thread