[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Credential DELETE Operation
Stephen,
It is not clear to me how we could make an explicit delete-all clean and
unambiguous.
As mentioned by Dale earlier, the DeleteRequest could have a "DeleteAll"
attribute empty and the DeleteAll attribute to be used in this type of
request. For example:
<element name="DeleteRequest">
<complexType>
<sequence minOccurs="0" maxOccurs="1">
<element name="CredentialSelector" type="string"/>
<element name="LastModified" type="dateTime" minOccurs="0"/>
<element ref="sacred:ProcessInfo" minOccurs="0"/>
</sequence>
<attribute name="DeleteAll" type="boolean" use="optional"/>
</complexType>
</element>
However, as mentioned by Magnus, this schema allows for the DeleteAll to be
present if the CredentialSelector is present which doesn't really make sense
if the attribute is true. I don't know how to define the schema to not
allow this. Does anyone know of a way?
Another possibility mentioned was to have a reserved CredentialSelector
value which I think would introduce extra error conditions that would have
to be described for other PDUs. For example, this name cannot be used in an
upload request.
Do we actually need a delete-all? If we are concerned about accidental
deletion of all a user's credentials then we could require that they are all
explicitly deleted by name. Just a thought.
>
>
> If we adopt the new message, that'd make more sense.
>
> What about making delete-all explicit? I assume you'd agree with
> that too? How'd you want that done?
>
> Stephen.
>
> "Richards, Gareth" wrote:
> >
> > Stephen,
> >
> > >
> > > Meanwhile, if we did make this change, where'd be the text that
> > > tells the server what to do when it gets an UploadRequest
> > > containing zero credentials?
> >
> > I would think that if we do have a DeleteRequest then there
> is no need to
> > allow an empty UploadRequest and so the start of section
> 2.2.1 could be:
> >
> > 2.2.1 Credential Upload
> >
> > This operation REQUIRES mutual authentication.
> >
> > The purpose of this operation is to allow the client to deposit a
> > credential with the server.
> >
> > The client sends an UploadRequest message to the server
> which MUST
> > contain one Credential.
> >
> > The schema could then be:
> >
> > <!-- Upload request -->
> > <element name="UploadRequest">
> > <complexType>
> > <sequence>
> > <element name="Credential" type="sacred:CredentialType"/>
> > </sequence>
> > </complexType>
> > </element>
> > >
> > > Stephen.
> > >
> > > "Richards, Gareth" wrote:
> > > >
> > > > Stephen,
> > > >
> > > > Sorry for the delay in getting back to you on this.
> > > >
> > > > A simple form of DELETE request could be something like this:
> > > >
> > > > <element name="DeleteRequest">
> > > > <complexType>
> > > > <sequence minOccurs="0" maxOccurs="1">
> > > > <element name="CredentialSelector" type="string"/>
> > > > <element name="LastModified" type="dateTime"
> > > maxOccurs="1"/>
> > > >
> > > > </sequence>
> > > > </complexType>
> > > > </element>
> > > >
> > > > I think this would meet the requirements in section 3.3 of
> > > the framework:
> > > >
> > > > 1. The CredentialSelector identifies the credential to delete.
> > > > 2. The LastModified is the optional fingerprint.
> > > >
> > > > A DELETE-ALL operation could be handled by having an
> empty request.
> > > >
> > > > The references to delete could be removed from the
> > > description of the
> > > > UploadRequest by changing the first six paragraphs of
> > > section 2.2.1 as
> > > > follows:
> > > >
> > > > 2.2.1 Credential Upload
> > > >
> > > > This operation REQUIRES mutual authentication.
> > > >
> > > > The purpose of this operation is to allow the client
> to deposit a
> > > > credential with the server.
> > > >
> > > > The client sends an UploadRequest message to the
> server which can
> > > > contain zero or one Credential.
> > > >
> > > > If a credential with the same credential selector
> field as in the
> > > > UploadRequest, (a "matching" credential), already
> exists for the
> > > > account, then that credential is replaced with the
> new credential
> > > > from the UploadRequest. Otherwise a "new" credential is
> > > associated
> > > > with that account.
> > > >
> > > > If no "matching" credential exists, the server
> returns an error.
> > > >
> > > >
> > > >
> > > > A new section would then be needed describing the new operation.
> > > >
> > > > 2.2.3 Credential Delete
> > > >
> > > > This operation REQUIRES mutual authentication.
> > > >
> > > > The purpose of this operation is to allow the client to
> > > delete one or
> > > > more credentials
> > > > associated with the account.
> > > >
> > > > The client sends an DeleteRequest message to the
> server which can
> > > > contain zero or one CredentialSelector. If the
> > > UploadRequest contains no
> > > > CredentialSelector then the all the credentials
> > > associated with that
> > > > account
> > > > are deleted.
> > > >
> > > > If no "matching" credential exists, the server
> returns an error.
> > > >
> > > > If the LastModified value is present in the
> > > DeleteRequest then it MUST be
> > > > the value which
> > > > was most recently received in a corresponding
> > > DownloadResponse for
> > > > that credential. If the value does not match then the
> > > server MUST NOT
> > > > delete the credentials.
> > > >
> > > > The server responds with an error or acknowledgement message.
> > > >
> > > > Dale raised the issue of unintentionally deleting all
> > > credentials but I'm
> > > > not sure how much of a risk there is since the PDUs would
> > > not be created by
> > > > the user's directly.
> > > >
> > > > > -----Original Message-----
> > > > > From: Stephen Farrell [mailto:stephen.farrell@xxxxxxxxxxxx]
> > > > > Sent: 19 December 2002 12:16
> > > > > To: Richards, Gareth
> > > > > Cc: ietf-sacred@xxxxxxx
> > > > > Subject: Re: Credential DELETE Operation
> > > > >
> > > > >
> > > > >
> > > > > Gareth,
> > > > >
> > > > > I do have some sympathy with this approach, but its
> somewhat late
> > > > > in the day (for this rev of the I-D) to be making
> such a bigish
> > > > > change given that we do have a working protocol (I don't think
> > > > > you're saying it doesn't work as is) and don't have text for
> > > > > the suggested change.
> > > > >
> > > > > So I'd be against making this change right now.
> > > > >
> > > > > During the last-call of the protocol draft (next rev
> > > > > hopefully today!)
> > > > > you can of course suggest this change *with specific text*
> > > > > that implements
> > > > > it (and I'd suggest waiting to base your text on the -05 I-D).
> > > > >
> > > > > At that stage we can take it on board or not, depending
> > > on the usual
> > > > > things...
> > > > >
> > > > > Is that ok?
> > > > >
> > > > > Stephen.
> > > > >
> > > > > "Richards, Gareth" wrote:
> > > > > >
> > > > > > In the current ID, credentials are deleted using the
> > > UploadRequest.
> > > > > >
> > > > > > According to section 2.2.1:
> > > > > >
> > > > > > a) If the UploadRequest contains no Credential and the
> > > UploadRequest
> > > > > > contains a "Delete="yes"" attribute, then the all the
> > > > > credentials associated
> > > > > > with that account are deleted.
> > > > > >
> > > > > > b) If the new credential from the UploadRequest contains no
> > > > > PayLoad field
> > > > > > and the new credential has a "Delete="yes"" attribute, then
> > > > > the (one and
> > > > > > only) "matching" credential is deleted.
> > > > > >
> > > > > > One minor point is that in the current schema the Payload
> > > > > is not an optional
> > > > > > element in the CredentialType and this appears to be
> > > > > required to allow the
> > > > > > second delete to occur.
> > > > > >
> > > > > > However, it may be simpler to implement the DELETE
> > > > > operation described in
> > > > > > Section 3.3 of the framework document with a separate
> > > > > DeleteRequest rather
> > > > > > than overloading the UploadRequest in the way described.
> > > > > One possibility
> > > > > > would be for the DeleteRequest PDU to be either empty
> > > or contain an
> > > > > > CredentialSelector and optional LastModified. If it is
> > > > > empty then it is a
> > > > > > request to delete all credential otherwise it is a request
> > > > > to delete a
> > > > > > specific credential.
> > > > > >
> > > > > > This would have a number of advantages:
> > > > > >
> > > > > > 1) There would be no need to have a Delete attribute in the
> > > > > CredentialType.
> > > > > >
> > > > > > 2) There would be no need to have an optional Payload since
> > > > > the only time a
> > > > > > Credential can meaningfully not contain a Payload is if the
> > > > > Delete attribute
> > > > > > is set to "yes" and it is contained in an UploadRequest.
> > > > > >
> > > > > > 3) The UploadRequest PDU could be simplified by
> > > removing the Delete
> > > > > > attribute and making the Credential mandatory.
> > > > > >
> > > > > > 4) The conditions on the use UploadRequest given in section
> > > > > 2.2.1 would be
> > > > > > simplified.
> > > > >
> > > > > --
> > > > > ____________________________________________________________
> > > > > Stephen Farrell
> > > > > Baltimore Technologies, tel: (direct line) +353 1 881 6716
> > > > > 39 Parkgate Street, fax: +353 1 881 7000
> > > > > Dublin 8. mailto:stephen.farrell@xxxxxxxxxxxx
> > > > > Ireland http://www.baltimore.com
> > > > >
> > >
> > > --
> > > ____________________________________________________________
> > > Stephen Farrell
> > > Baltimore Technologies, tel: (direct line) +353 1 881 6716
> > > 39 Parkgate Street, fax: +353 1 881 7000
> > > Dublin 8. mailto:stephen.farrell@xxxxxxxxxxxx
> > > Ireland http://www.baltimore.com
> > >
>
> --
> ____________________________________________________________
> Stephen Farrell
> Baltimore Technologies, tel: (direct line) +353 1 881 6716
> 39 Parkgate Street, fax: +353 1 881 7000
> Dublin 8. mailto:stephen.farrell@xxxxxxxxxxxx
> Ireland http://www.baltimore.com
>