[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Credential DELETE Operation

To: "Richards, Gareth" <GRichards@xxxxxxxxxxxxxxx>
Subject: Re: Credential DELETE Operation
From: Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>
Date: Thu, 19 Dec 2002 15:02:38 +0000
Cc: ietf-sacred@xxxxxxx
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Organization: Baltimore Technologies Ltd.
References: <>
Reply-to: stephen.farrell@xxxxxxxxxxxx
Sender: owner-ietf-sacred@xxxxxxxxxxxx


Done. Thanks.

Stephen.

"Richards, Gareth" wrote:
> 
> Stephen,
> 
> OK, I accept that it is too late for this update to introduce a new request
> type.
> 
> However, there is the problem with the schema which I believe prevents the
> current protocol from working and so I think it needs to be changed.
> 
> The current definition of CredentialType is
> 
>       <complexType name="CredentialType">
>       <sequence>
>        <element name="CredentialSelector" type="string"/>
>        <element name="LastModified" type="dateTime"/>
>        <element name="Payload" type="ds:KeyInfoType"/>
>        <element name="TimeToLive" type="string" minOccurs="0"/>
>        <element ref="sacred:ProcessInfo" minOccurs="0"/>
>        <element ref="sacred:ClientInfo" minOccurs="0"/>
>       </sequence>
>       <attribute name="Delete" type="string" use="optional"/>
>      </complexType>
> 
> This does not allow a Credential to not have a Payload as required in an
> UploadRequest to delete the named credentials.
> 
> I think that it needs to be changed to
> 
>      <complexType name="CredentialType">
>       <sequence>
>        <element name="CredentialSelector" type="string"/>
>        <element name="LastModified" type="dateTime" />
>        <element name="Payload" type="ds:KeyInfoType" minOccurs="0"/>
>        <element name="TimeToLive" type="string" minOccurs="0"/>
>        <element ref="sacred:ProcessInfo" minOccurs="0"/>
>        <element ref="sacred:ClientInfo" minOccurs="0"/>
>       </sequence>
>       <attribute name="Delete" type="string" use="optional"/>
>      </complexType>
> 
> This would only require the CredentialSelector and LastModified.
> > -----Original Message-----
> > From: Stephen Farrell [mailto:stephen.farrell@xxxxxxxxxxxx]
> > Sent: 19 December 2002 12:16
> > To: Richards, Gareth
> > Cc: ietf-sacred@xxxxxxx
> > Subject: Re: Credential DELETE Operation
> >
> >
> >
> > Gareth,
> >
> > I do have some sympathy with this approach, but its somewhat late
> > in the day (for this rev of the I-D) to be making such a bigish
> > change given that we do have a working protocol (I don't think
> > you're saying it doesn't work as is) and don't have text for
> > the suggested change.
> >
> > So I'd be against making this change right now.
> >
> > During the last-call of the protocol draft (next rev
> > hopefully today!)
> > you can of course suggest this change *with specific text*
> > that implements
> > it (and I'd suggest waiting to base your text on the -05 I-D).
> >
> > At that stage we can take it on board or not, depending on the usual
> > things...
> >
> > Is that ok?
> >
> > Stephen.
> >
> > "Richards, Gareth" wrote:
> > >
> > > In the current ID, credentials are deleted using the UploadRequest.
> > >
> > > According to section 2.2.1:
> > >
> > > a) If the UploadRequest contains no Credential and the UploadRequest
> > > contains a "Delete="yes"" attribute, then the all the
> > credentials associated
> > > with that account are deleted.
> > >
> > > b) If the new credential from the UploadRequest contains no
> > PayLoad field
> > > and the new credential has a "Delete="yes"" attribute, then
> > the (one and
> > > only) "matching" credential is deleted.
> > >
> > > One minor point is that in the current schema the Payload
> > is not an optional
> > > element in the CredentialType and this appears to be
> > required to allow the
> > > second delete to occur.
> > >
> > > However, it may be simpler to implement the DELETE
> > operation described in
> > > Section 3.3 of the framework document with a separate
> > DeleteRequest rather
> > > than overloading the UploadRequest in the way described.
> > One possibility
> > > would be for the DeleteRequest PDU to be either empty or contain an
> > > CredentialSelector and optional LastModified.  If it is
> > empty then it is a
> > > request to delete all credential otherwise it is a request
> > to delete a
> > > specific credential.
> > >
> > > This would have a number of advantages:
> > >
> > > 1) There would be no need to have a Delete attribute in the
> > CredentialType.
> > >
> > > 2) There would be no need to have an optional Payload since
> > the only time a
> > > Credential can meaningfully not contain a Payload is if the
> > Delete attribute
> > > is set to "yes" and it is contained in an UploadRequest.
> > >
> > > 3) The UploadRequest PDU could be simplified by removing the Delete
> > > attribute and making the Credential mandatory.
> > >
> > > 4) The conditions on the use UploadRequest given in section
> > 2.2.1 would be
> > > simplified.
> >
> > --
> > ____________________________________________________________
> > Stephen Farrell
> > Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> > 39 Parkgate Street,                     fax: +353 1 881 7000
> > Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
> > Ireland                             http://www.baltimore.com
> >

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com

References:
- RE: Credential DELETE Operation
  - From: Richards, Gareth

Prev by Date: RE: Credential DELETE Operation
Next by Date: Re: Compound authentication "issue"
Previous by thread: RE: Credential DELETE Operation
Next by thread: RE: Credential DELETE Operation
Index(es):
- Date
- Thread