Re: [GNAP] generic HTTP resource type

Jamey Sharp <> Wed, 28 July 2021 01:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C23DB3A145C for <>; Tue, 27 Jul 2021 18:06:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DZGUGYTok3sS for <>; Tue, 27 Jul 2021 18:06:18 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 729B13A145A for <>; Tue, 27 Jul 2021 18:06:18 -0700 (PDT)
Received: by with SMTP id m1so2671790pjv.2 for <>; Tue, 27 Jul 2021 18:06:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=Lpho3Fwvd/ps+B4TJmw207oSuGAzSY0yxEC21bzbV4g=; b=UkfC21bw9e5xTCLtYLWBY2+ldTSBtxbkzc3pO3p6udfy6R3dUcmIj8QDgZCACn0GxE t8qkUSc8TUs8G4JBqq7+keCQJR1IrCMiHh+oabtT6LAdUAIk2UYqmHct84NX3Z9pQnVC zFF+r+KA/7XijvKaqWpNoYzbnZEcKfJk/8y7o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=Lpho3Fwvd/ps+B4TJmw207oSuGAzSY0yxEC21bzbV4g=; b=EnLSZte5ULMq1quVoQGiaaDMs2dggof6lr2CTdDie6/eUMDp4dZ1JrjNeUxW4362Qd yw/Al48UFpUma/VGwJBvoPy2FDYUUND6DnTfuukLLhCVNt0d9C2POdakYdBRkdUeeUXI mjoOfQrtYKrfqfM99t6Pzrj9X3ZKJVsKRmoFhqs9cv64XlyS2zS4msK78h1XFR7NM2nQ lUJJ/OerpWtme+x0FpICnFQmaVYd7MfoC+2ZKMye4ZVh4veBVaPIS0DyJ+vWzTd9giJg 9y8q+xo3cmuvgDG9md2V/4afiQ/l6VYpGrJaAsEEfhBl5ID4YlYrFcwR80lNL77rUqhC rn8Q==
X-Gm-Message-State: AOAM533ptqITxFArsAcTXJQiobVTNtsaxHrc6QMSTvn7dadzpNWwwu2g qKUoXE/0/OHdAcOa2PM2tvDqgVyRgkOxTyd7
X-Google-Smtp-Source: ABdhPJwAE0Cn5pMDnUTb3WE8sxPUWuvbWnl+sG5fsLqRSvTxaWNZmQcjrXgZqkgqLO07KK3I8GBzTA==
X-Received: by 2002:a17:90a:24c:: with SMTP id t12mr24699370pje.64.1627434377329; Tue, 27 Jul 2021 18:06:17 -0700 (PDT)
Received: from eh ( []) by with ESMTPSA id e2sm5541239pgh.5.2021. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jul 2021 18:06:16 -0700 (PDT)
Received: by eh (sSMTP sendmail emulation); Tue, 27 Jul 2021 18:06:15 -0700
Date: Tue, 27 Jul 2021 18:06:15 -0700
From: Jamey Sharp <>
To: Adrian Gropper <>
Cc: GNAP Mailing List <>
Message-ID: <YQCthymMrDwqqxVC@eh>
References: <YP9bhNFEs3YPw1AD@eh> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
Archived-At: <>
Subject: Re: [GNAP] generic HTTP resource type
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jul 2021 01:06:24 -0000

On Tue, Jul 27, 2021 at 06:54:31PM -0400, Adrian Gropper wrote:
> Hi Jamey,
> I'm grateful for your conversation because you are helping me tease 
> out which aspects of GNAP are essential for my (fairly common) 
> use-case.

I'm glad it's helping! Just keep in mind that I read the GNAP draft for 
the first time yesterday. 🤣

I think I have a better understanding of your concern now. I was 
somewhat confused because if the resources in question are electronic 
health records, then the RO is the party that needs protection the most, 
while in the cases I usually think about, it's the end-user's privacy 
that is most at risk.

I don't believe anything I'm proposing affects your use case, because 
I'm only proposing a resource rights type and possibly some end-user 
behavior. As far as I can tell,

- GNAP's privacy and security promises should not depend on the 
   specifics of any rights type;

- your application wouldn't use this rights type and so would not be 
   affected regardless;

- and any protections which GNAP offers an RO should apply regardless of 
   the behavior of any end-user.