IETF Logo Mail Archive

Re: [GNAP] DID as sub_id or assertion?

Adrian Gropper <agropper@healthurl.com> Wed, 17 March 2021 23:18 UTC

Return-Path: <agropper@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 456C43A17AC for <txauth@ietfa.amsl.com>; Wed, 17 Mar 2021 16:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IASn8LFBQsGX for <txauth@ietfa.amsl.com>; Wed, 17 Mar 2021 16:18:57 -0700 (PDT)
Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com [209.85.217.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 720553A17AA for <txauth@ietf.org>; Wed, 17 Mar 2021 16:18:57 -0700 (PDT)
Received: by mail-vs1-f46.google.com with SMTP id e13so539210vsl.5 for <txauth@ietf.org>; Wed, 17 Mar 2021 16:18:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9mVNrvr8Sz78cmWJRBkK7+qPvzSk0Iaq4zMW96o1m50=; b=Osv3ilC65zP3ZFQ3EpTWdL+PnG/D11mmchL7kRsUbgaLifSv/Oq1X+tX8sdhkgA0ur 2SQpf3ti2VEg1ZpvyCgjhJgvka3jICqoz8zTXt20pQOnEAoJ5GyImi1Z8ePw29r8HhLX Cw4HbxZy8cl51G5soxyQ8ImLwkHNI3Bv1oa8rKSppksd2boMvU9VyNlX943rscqUnA42 kvT6EJ9dVW4NuhV+DGIuAS63rARQ8WcdDbrhA5JXZ63nieT+kj2yRo1olVS7WgfumoPQ YoRNnfmDSWgHUgMJbivBKIB9+fbGEW1DFWK9qqXOBMzUoNd/Q17JOJ03DE9iOoIr2Lo0 CYQQ==
X-Gm-Message-State: AOAM531zle6lbg0u9cOV+IcTXjH5oCB1p59dvh3NZdJusE4DPx3uZNxi Td6ow0/XIXjDbIS+QsmmaVOMl9lLBeB5uNOwSjw=
X-Google-Smtp-Source: ABdhPJw+7GywzOuZ4JeyhipRxrP+Ggttx7lZM2XX9ChDbZT7kMRxxbUbRux9KTOCBZoXOjsc4zquS7b8r5ZIBlyuQ44=
X-Received: by 2002:a05:6102:24a:: with SMTP id a10mr4990449vsq.39.1616023136334; Wed, 17 Mar 2021 16:18:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQ5Q1LrGtniCH3WN5gyf6QhBa-9e+2kzaV0fxzA5D5m7w@mail.gmail.com> <B3A02C1B-5DF6-46AE-B806-8DBBF5F6B701@mit.edu> <CAM8feuRuCyKGCDNYXP_gwc=wk986q6m_-DDOcXR8T9k+LdoX9g@mail.gmail.com> <CAM8feuRHQJF6sWGBcvt41kH6V6fwXK0-O15aUgvRRiK9q8vefA@mail.gmail.com> <CAJmmfSSY03c1nn3qtQDhY+Zk490d++zftyftSWPOGPdgPOnkag@mail.gmail.com> <CAM8feuTSWko8q+Agn+0+tLmSAOG6NYH_dMCV697NLna1U-Sxew@mail.gmail.com> <CANYRo8immAFJ08pvd00U6zT6-zRsrHkJ28NuKyC28Fdx=F=USQ@mail.gmail.com> <CAM8feuQbDJfPqym-2VAb4VyDuL8rm_Yk-sGyrb8_qAapUBtEuw@mail.gmail.com> <CAM8feuS332Ng_Bi=doXzq0WEgLc7_+tOmB4uE71+bpJ_g4P-aw@mail.gmail.com> <CANYRo8jG+ZutU6Bhy7zSrKcgnVxjMze7i-y_UpU3+PWvsWfLvA@mail.gmail.com> <CAM8feuSixNA2oFTtYR0Y3vngc+3UbsOSqSBCA6RUEEByB25eNA@mail.gmail.com> <CANYRo8hts6P_4QNjjcUr-H9B9wGJeVckWw+3V3N9hdPHf_idLQ@mail.gmail.com> <CAM8feuQEQyCEOErds8rpcipaqyPm3L3XMdrbQ6X2t3y9xcO4dQ@mail.gmail.com> <CAJmmfSQKZWm=YsjBVV8O+vU9zzC+eka0CCaQO-xFP-GcWzEigw@mail.gmail.com> <CANYRo8jw9gHQESDk__aKM3jK-C9FvYTFYOzb-8iYzbc_hVjMPA@mail.gmail.com> <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu>
In-Reply-To: <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu>
From: Adrian Gropper <agropper@healthurl.com>
Date: Wed, 17 Mar 2021 19:18:44 -0400
Message-ID: <CANYRo8inRJa0bAe6gqOkLKqHnt-qxPrzhDufBLwXd-S4wfjdxg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Tobias Looker <tobias.looker@mattr.global>, Fabien Imbault <fabien.imbault@gmail.com>, GNAP Mailing List <txauth@ietf.org>, Alan Karp <alanhkarp@gmail.com>, Mark Miller <erights@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000fd775705bdc3b44b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/cdrIjHU2F6R_u4PCJgeZkpzyC8c>
Subject: Re: [GNAP] DID as sub_id or assertion?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 23:18:59 -0000

I'm sure you're right. Our vague terminology around client and end-user
leads to my confusion. If GNAP is primarily about delegation then, of
course, we should avoid any incentives to impersonate or we're wasting our
time. This is partly why I'm trying to study up on capabilities and asking
for expert advice from folks like Alan Karp and Mark Miller (cc'd)

As best I can understand it, the RS has only two choices, it can:

   - store an attribute of the RO a [DID, email address, GNAP AS URL], or
   - hand the RO a capability as a sort-of promise and avoid making any
   entries in an ACL or equivalent.

When a token comes back to the RS, it will either be:

   - validated according to something associated with the stored RO
   attribute, or
   - signed by the RS itself.

Either way, trust in the client seems moot.

Adrian



On Wed, Mar 17, 2021 at 5:29 PM Justin Richer <jricher@mit.edu> wrote:

> On Mar 17, 2021, at 4:55 PM, Adrian Gropper <agropper@healthurl.com>
> wrote:
>
>
> On Wed, Mar 17, 2021 at 4:23 PM Tobias Looker <tobias.looker@mattr.global>
> wrote:
>
>> <snip>
>> > A client might not have a DID but it could have a VC as a certificate
>> of authenticity linked to some audit mechanism.
>>
>> To me a VC would come under the assertions umbrella (that is to say a VC
>> could be one type of valid assertion). The client may possess or been
>> presented with a VC that it could include in its request to the AS as a way
>> to identify the subject and perhaps prove authentication and authorization.
>>
>
> I do not assume that the client that interacts with the AS to make a
> request and receive a token is the same as the client that will present the
> token to the RS. In the US HIPAA use-case, for example, the root of trust
> is a contract between the patient-subject and the doctor-requesting party
> but the doctor workflow is expected to delegate the token to some other
> end-user that may be using a totally different client such as an EHR.
>
>
> If the client that gets the token is not same as the client that uses the
> token, that is a violation of core security principles as it allows for
> (and really designs for) impersonation by client software. I would have no
> reason to trust client software that would hand its credentials over to
> another piece of software, and in fact I shouldn’t trust it.
>
> I think you may be conflating several different kinds of parties under the
> “client” umbrella here, though. It’s entirely possible that one client
> might call an RS that in turn acts as a client for something else down
> stream. But each of those hops is different from the last.
>
>  — Justin
>
>

v2.23.0 | Report a Bug | By Email