[GNAP] Human Rights Protocol Considerations applied to GNAP
Adrian Gropper <agropper@healthurl.com> Tue, 08 November 2022 06:13 UTC
Return-Path: <agropper@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0165C14CE3E for <txauth@ietfa.amsl.com>; Mon, 7 Nov 2022 22:13:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.407
X-Spam-Level:
X-Spam-Status: No, score=-1.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wteV4retJU5V for <txauth@ietfa.amsl.com>; Mon, 7 Nov 2022 22:13:42 -0800 (PST)
Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5287C14CE31 for <txauth@ietf.org>; Mon, 7 Nov 2022 22:13:42 -0800 (PST)
Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-3704852322fso124935087b3.8 for <txauth@ietf.org>; Mon, 07 Nov 2022 22:13:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=MbmXf0au5Yq1Sr5fosk5OVnuhXXOqLypwXGj2jwF7W8=; b=oKkNFH2JHUcv45hU3GoPd0NOB58uV8RBAh9sWQbuYDDUSzOAgMZZoMm8fbhl1I4Dvt q1yZ1O/Lj7x8Gcx+uU3vVNS0LQFSCradJ6wiPbEKVee/iGO+zSvOGsYb4TwxaqO3zHzV cGbX6TqLNfEyKrVP2PXoxGYtelGA1PXlQ1Jp2rwoIkr4KozchM12bZDA5zSpDKzFnA5v 5VwunXQgaEru12dveK6OZ35Wx0/hbPAVmSDg8mtD99M5+Vlyind3/GXCEnKDlvpv0wiv qZjuvSBSLfz8aX4bXrRW70h1WmmODwgOeH5BvFKHmTrlCXoW7x68iSveIPB4h6Ni0rif iUUw==
X-Gm-Message-State: ACrzQf0TjyzFlS21UztQmJV8jY/AH1FhktIIm+5mjwbSjrxN64ldAtnz vOR/Nmi15UrI4Ldulxac/M3EzSC7kZGdUyywb5kLZkXA
X-Google-Smtp-Source: AMsMyM6cO8awhtr09cbWHQtCdzF8ptZAJAjUs1zQEA53tR68Ru7gvycHLsIvXuM40bOBNTiocukXH0WRtpUBlEu/jCM=
X-Received: by 2002:a0d:fcc6:0:b0:349:7d12:7255 with SMTP id m189-20020a0dfcc6000000b003497d127255mr51345893ywf.427.1667888021391; Mon, 07 Nov 2022 22:13:41 -0800 (PST)
MIME-Version: 1.0
From: Adrian Gropper <agropper@healthurl.com>
Date: Tue, 08 Nov 2022 01:13:30 -0500
Message-ID: <CANYRo8ju62xOsbfsey-3U9nzUG+zxW-=dOeaRvbCwp5aS4O3BQ@mail.gmail.com>
To: GNAP Mailing List <txauth@ietf.org>, hrpc@irtf.org
Content-Type: multipart/alternative; boundary="0000000000000a4e0205ecef718f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/O4Sj8XtzPRieJ9WTNHnt-LvcXY4>
Subject: [GNAP] Human Rights Protocol Considerations applied to GNAP
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2022 06:13:46 -0000
The GNAP protocol risks creating a forced association per HRPC. A draft PR is at https://deploy-preview-434--gnap-core-protocol-editors-draft.netlify.app/draft-ietf-gnap-core-protocol#section-13 (This PR was closed in the core spec pending a potential move to the resource server spec as discussed in [4].) Here's what I'm hoping is discussed between the GNAP review of the Human Rights Considerations PR on Thursday and the HRPC Discussion on Friday: 1 - The HRPC Abstract explicitly addresses "forced association" [1] 2 - GNAP is primarily a delegated authorization protocol [2] 3 - Delegation can be to the clients, authorization servers, and end-users roles in GNAP. 4 - Forced association with a delegate might be a human rights issue. 5 - A PR was submitted that discusses the human rights issue, referencing HRPC, as well as mitigations [3] 6 - The PR and subsequent comments describe three possible mitigations [4] 7 - Antecedent authorization protocols, such as OAuth, that force association have led to unintended platform network effects. 8 - Guidance from HRPC is sought as to the process by which (GNAP / IETF?) decides if the mitigations are to be a SHOULD? [1] https://datatracker.ietf.org/meeting/115/agenda/hrpc-drafts.pdf [2] https://datatracker.ietf.org/meeting/115/agenda/gnap-drafts.pdf [3[ https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/434 [4] https://github.com/ietf-wg-gnap/gnap-resource-servers/issues/54 The PR will be discussed in GNAP on Thursday Session 1. The HRPC discussion is on Friday Session 1. I hope many will participate in both sessions. - Adrian
- [GNAP] Human Rights Protocol Considerations appli… Adrian Gropper
- Re: [GNAP] Human Rights Protocol Considerations a… Fabien Imbault