- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Tue, 20 Nov 2012 07:15:24 -0500
- To: Henry Story <henry.story@bblfish.net>
- CC: Olivier Berger <olivier.berger@it-sudparis.eu>, public-webid <public-webid@w3.org>
- Message-ID: <50AB745C.4070406@openlinksw.com>
On 11/19/12 7:44 PM, Henry Story wrote: > In Java there is the Principal class > > http://docs.oracle.com/javase/1.4.2/docs/api/java/security/Principal.html > > [[ > This interface represents the abstract notion of a principal, which can be used to represent any entity, such as an individual, a corporation, and a login id. > ]] > > You can see the subclasses there are JMXPrincipal, and X500Principal > > There is the Subject class > > http://docs.oracle.com/javase/1.4.2/docs/api/javax/security/auth/Subject.html > > [[ > Subject represents a grouping of related information for a single entity, such as a person. Such information includes the Subject's identities as well as its security-related attributes (passwords and cryptographic keys, for example). > ]] > > > Next: > > http://tools.ietf.org/html/rfc3744#section-2 > > [[ > A principal is a network resource that represents a distinct human or > computational actor that initiates access to network resources. > Users and groups are represented as principals in many > implementations; other types of principals are also possible. A URI > of any scheme MAY be used to identify a principal resource. However, > servers implementing this specification MUST expose principal > resources at an http(s) URL, which is a privileged scheme that points > to resources that have additional properties, as described in > Section 4. So, a principal resource can have multiple URIs, one of which has > to be an http(s) scheme URL. Although an implementation SHOULD > support PROPFIND and MAY support PROPPATCH to access and modify > information about a principal, it is not required to do so. > > A principal resource may be a group, where a group is a principal > that represents a set of other principals, called the members of the > group. If a person or computational agent matches a principal > resource that is a member of a group, they also match the group. > Membership in a group is recursive, so if a principal is a member of > group GRPA, and GRPA is a member of group GRPB, then the principal is > also a member of GRPB. > > ]] > > Note: > - a Principal is a "network resource" that represents an actor. > - "a uri of any scheme may be used to identify a principal resource". > > a network resource is NOT a subject. It _represents_ a subject - which is different. > That is why I have 2 functions: > 1. a function that goes from a string to a URI referent ( usually a network resource I will add) > 2. a function from that uri referent to the subject. > > In the above a Principal is a network resource. I have shifted it to be a type of identifier... > I don't think the use is very clear anywhere. One could call the one the Principal String, the > other the Principal. Essentially the point is that these things don't denote the Agent directly, > only indirectly. Henry, You've referenced Java and one IETF spec. As you know, there are other specs from the IETF offering alternative views about this matter, in the realm of security. CalDAV [1]: " Support for MKCALENDAR on the server is only RECOMMENDED and not REQUIRED because some calendar stores only support one calendar per user (or principal), and those are typically pre-created for each account. However, servers and clients are strongly encouraged to support MKCALENDAR whenever possible to allow users to create multiple calendar collections to help organize their data better.? CardDAV [2]: " Namespace: urn:ietf:params:xml:ns:carddav Purpose: Identifies the URL of any WebDAV collections that contain address book collections owned by the associated principal resource. " Note: principal resource phrase. CORBA [3]: "The security functionality defined by this specification comprises: Identification and authentication of principals (human users and objects that need to operate under their own rights) to verify they are who they claim to be. " WebDAV [4]: "WebDAV [RFC4918] is an extension to HTTP [RFC2616] to support improved document authoring capabilities. The WebDAV Access Control Protocol ("WebDAV ACL") [RFC3744] extension adds access control capabilities to WebDAV. It introduces the concept of a "principal" resource, which is used to represent information about authenticated entities on the system." The definition above is the closest to what you seek i.e., a "principal" resource. Like other Web resources, you can denote this kind of resource with a URI (which may or may note resolve to anything) . Links: 1. http://tools.ietf.org/html/rfc4791 -- CalDAV 2. http://tools.ietf.org/html/rfc6352 -- CardDAV 3. http://www.omg.org/technology/documents/security_spec_catalog.htm -- CORBA 4. http://tools.ietf.org/html/rfc5397 -- WebDAV. Kingsley > > > On 19 Nov 2012, at 21:55, Olivier Berger <olivier.berger@it-sudparis.eu> wrote: > >> Hi. >> >> Henry Story <henry.story@bblfish.net> writes: >> >>> I have defined Principal much more carefully here >>> http://www.w3.org/2005/Incubator/webid/wiki/Identity_Interoperability#logical_relationships_of_principals >>> >> Maybe it's just my poor knowledge of the english language... but could >> you point me to a reference definition of "Principal" that would apply >> here, for instance in http://en.wiktionary.org/wiki/principal ? >> >> Just for the sake of clarity, I guess we should prefer common language >> terms as much as possible... >> >> Or maybe it's just me ? >> >> Kind regards, >> -- >> Olivier BERGER >> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 >> Ingenieur Recherche - Dept INF >> Institut Mines-Telecom, Telecom SudParis, Evry (France) > Social Web Architect > http://bblfish.net/ > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 20 November 2012 12:15:54 UTC