Re: [GNAP] GNAP from a human-centered perspective
Alan Karp <alanhkarp@gmail.com> Thu, 18 March 2021 21:02 UTC
Return-Path: <alanhkarp@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 208DF3A346C for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 14:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-yXr1wVYn_7 for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 14:02:51 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E17693A3469 for <txauth@ietf.org>; Thu, 18 Mar 2021 14:02:50 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id x9so5202512qto.8 for <txauth@ietf.org>; Thu, 18 Mar 2021 14:02:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hJi0VPrWo+Ra3fFSDxWyvXnaNKwu8xZGz243skho5Vs=; b=Yf1azIAmU0vec+7z5xd/pJfW1Kh07BhGQVc+3LMGcQT/7zqFxW70lDctuaSC3edQ+c zpYOT3yPWCHhoaq8je1RrTZ4jMlg+o1nZXeXdN2kvpzR5F0GUT/qm3ga6WMiKi6MJEnV 3P5dCvZpxG5HBck66I5K3B38dpNyje+ez0NWwAEKPxTQe7EUUPOok95b+N5AtdN2xRY0 k8WSFrhYqlxj/BHjZXNbElDMJ8kiIN0Ah8b8rRKsCTmePkcNB+8CPXYcqXZ6krAq5Eck FbJiFlyoWRBhXiXeMRjOz+clcMm+ESyD9rMYpFUbht7JBp1avqKWyQ1Y/vZKEnbIw2MR ktOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hJi0VPrWo+Ra3fFSDxWyvXnaNKwu8xZGz243skho5Vs=; b=r7ttj/bM+3W/YvayBj0gDIBcu7vzzNUlDBRoF7/2ATQsMbrgbj1aTiNGzyw1tT1pra NnpyBqBCmMatgnZ5+074Uytn2ZkiczGg6CL8aG94xworJxfJY2ss+QkwLgPIc+Es3sPd AeaGUPxF5NB/HgUsFpXbS2jfWv3c5YLyKel701WrKjyYM5nbZ6/8L3YNAyKoKeU3u0Th hvP8x+551P8bsz+RW496vufmQJQ/RuAO3SCgUYGMdg83elWZUGJPdycu/4IB4fORARaW JdCsDXcbofQ/6oWQVUMh5VfMVTdCtF6BDFJoZVYMnBJoOYqrajO8Z9JVFL8JpddMB8WB +XIQ==
X-Gm-Message-State: AOAM532EH32VHUFr9q/Ltcz7Wfl5pt8HuZsGsQCKoAisTgS31Gk4iXDN UM2N36VDhbG0cSol2bH5AFpTedBszYO6RxSgc5c=
X-Google-Smtp-Source: ABdhPJzeQ8tUqrRph6rQIVl9hwpt7AEizJBEPJYwapqBKeT7RYpvrLjwnoQYwP1PYWsYu0byaNyWJghv9EPWp5zgrZc=
X-Received: by 2002:ac8:7c8d:: with SMTP id y13mr5456990qtv.294.1616101368899; Thu, 18 Mar 2021 14:02:48 -0700 (PDT)
MIME-Version: 1.0
References: <CANYRo8icMC7mOK0kBurAv0Y_DW+XvDVwUrV6gazvu2eHfL2KtQ@mail.gmail.com> <D13FB5C2-F1B6-4C98-858D-664A10D7F2D1@mit.edu> <CANYRo8h_HuE0cnv095ZoU2JM49a=KXVJwpEbHJADG7R7tKdkyA@mail.gmail.com> <614551CF-E544-4376-9576-E2956454D67D@mit.edu> <CANYRo8hHv6G4t+koTeH8p0bD0bUQreOG5Q0NNi1VqXqYAfGtkA@mail.gmail.com>
In-Reply-To: <CANYRo8hHv6G4t+koTeH8p0bD0bUQreOG5Q0NNi1VqXqYAfGtkA@mail.gmail.com>
From: Alan Karp <alanhkarp@gmail.com>
Date: Thu, 18 Mar 2021 14:02:37 -0700
Message-ID: <CANpA1Z10O3D-5XVjHGFTjCLnnmnVTDYssDpghLvee8a-=-uvZQ@mail.gmail.com>
To: Adrian Gropper <agropper@healthurl.com>
Cc: Justin Richer <jricher@mit.edu>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000003ac0c05bdd5eca2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/pql1MuLWUOuhrbbWQvUfu3U-zDY>
Subject: Re: [GNAP] GNAP from a human-centered perspective
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 21:02:54 -0000
Let's be clear about the trust relationships. The RS has one with its AS, call it AS-RS; the RO has one with its AS, call it AS-RO. I think what Adrian is saying is clear if we keep that distinction in mind. -------------- Alan Karp On Wed, Mar 17, 2021 at 1:42 PM Adrian Gropper <agropper@healthurl.com> wrote: > Hi Justin, > > I just reviewed our charter and I see no clear mandate for an AS-first or > RS-first presumption. > > From my human-centered, subject-empowering perspective, I want to make > sure that I am not forced into an RS-first authorization model. This means > that I want control over discovery of an RS that has a relationship with > me. If I don't trust the RS, and I can't choose an alternative, I will use > a pseudonym or lie about my identity before interacting with that RS. > > If an RS does not allow me to control my AS, then they are forcing me to > send requesting parties to an actor that I do not want to share request > data and metadata with. I will then control or hire my own AS and make that > discoverable to requesting parties I care about. My AS will determine which > clients get information about the existence of an RS that does not respect > my choice of AS. If I can, (remember that the RS holds all the cards) I > will move my information to another RS that respects my AS choice as soon > as possible and then I will have the power to decide whether to make that > RS discoverable, or not. > > SImply put, I care about where requests are presented and I want GNAP to > call that the AS. How the client gets to the AS, through out-of band > discovery or by visiting an RS-first (UMA-style), may not be that relevant > to the core protocol. > > Adrian > > On Wed, Mar 17, 2021 at 1:03 PM Justin Richer <jricher@mit.edu> wrote: > >> >> >> On Mar 17, 2021, at 12:21 PM, Adrian Gropper <agropper@healthurl.com> >> wrote: >> >> I think Justin and I are starting from the same assumption that "the RS >> holds all the cards" but then reaching different conclusions about the GNAP >> AS. >> >> The RS can decide what scopes to honor, can ignore tokens, can choose >> their jurisdiction and policies, and can often deny service to subjects on >> a whim. Giving the RS any additional power or coerced trust (e.g. >> shrink-wrap licenses) over the subject should be avoided by design. >> >> One thing the RS controls is the ability to issue a capability to the >> subject at some point prior to there being any GNAP AS involved. The >> subject can keep this capability in their client (e.g. a wallet) or can >> send that capability to a GNAP AS that they choose. >> >> >> I don’t believe this is in scope for GNAP. The abstraction layer offered >> by the protocol is such that the only communication between the client >> instance and RS is via an access token issued by an AS. This AS is >> reachable by the client and trusted by the RS. >> >> Fundamentally, what you are describing is function of the AS, at least as >> far as the GNAP protocol itself is concerned. Remember, this isn’t about >> deployment, it’s about the roles and responsibilities of the different >> items involved. >> >> >> Instead of issuing a capability, the RS can also choose to accept a >> user-controlled AS. They can do that, for example, by storing a (DID) >> service endpoint to a GNAP AS. The RS could force the subject (as >> controller) to choose from a list of certified ASs or they could ask the AS >> to present a certificate from a trusted issuer. This last RS-controlled >> option is seen in US HIPAA law but it has provisions for the data subject >> to insist on acceptance of a subject-issued certificate as part of the >> protocol. The UDAP group is active in profiling the format of these >> certificates to be used on top of OAuth. >> >> >> I think that all of these things are functions of the AS, not the RS. >> With many AS deployments in OAuth today, the user can present themselves to >> the AS using a choice of federated logins. So in GNAP the user’s agent can >> present a certificate from a trusted issuer. This is not something an AS >> presents to an RS, it’s something that a different component presents to >> the AS. >> >> The result of this is an access token that the RS will accept. The AS and >> RS are in the same trust boundary, the crossing of that boundary happens >> inbound to the AS. This is fundamentally the change in language that I have >> been trying to push here. While the RS could accept an arbitrary AS, I >> think it’s both more useful and more realistic for the AS to accept a >> variety of proofs, claims, certifications, etc from the RO and/or user at >> runtime in order to make its token. >> >> >> Finally, GNAP should not presume that the AS is either carried by a >> subject or online. A subject can have the option to choose an unreliable or >> part-time AS. >> >> >> I disagree with this statement. GNAP is a protocol and is based on HTTP. >> From a technical level, we have to assume that it is reachable by the >> client instance at the start of the process. But if we stop trying to put >> the AS into a place where it doesn’t function well, we can start to talk >> about the unreliable and part-time authorization-and-consent component >> (agent, wallet, whatever) that can feed into the AS when available. This >> leads to a much more robust protocol structure. >> >> — Justin >> >> Adrian >> >> >> >> >> >> >> >> On Wed, Mar 17, 2021 at 10:55 AM Justin Richer <jricher@mit.edu> wrote: >> >>> I think this is a fairly reasonable way to look at things, but the >>> sticking point for me is the implication of how the AS “brings together” >>> the items. It could be read to mean that the end-user’s policies all live >>> on the AS. If the end-user needs to own or control the AS in order for this >>> to work, I don’t think that pattern has any legs in reality as it requires >>> an RS to accept access tokens from an unknown source. This means the RS >>> then needs to understand a LOT more about the access token than it would >>> otherwise be able to. >>> >>> Instead, I would encourage us to think of “brings together” in the sense >>> that the AS can take as input a number of different things, including >>> things that the user controls and things the RO controls. This is where I >>> think we can draw the line around the AS in a way that will let it function >>> in this human-facing world. >>> >>> Because you’re absolutely right that the end user shouldn’t know or care >>> if what they carry is an “AS” in the GNAP sense or not. From their >>> perspective, they need to present something to a service to get something >>> done. In the OAuth world this is “log in to our web server”. In the GNAP >>> world we can have this include a wider variety of things they can present >>> to the AS, including VCs and DIDs and a bunch of other things. >>> >>> — Justin >>> >>> > On Mar 17, 2021, at 12:30 AM, Adrian Gropper <agropper@healthurl.com> >>> wrote: >>> > >>> > I truly appreciate the diligence of our editors and contributors. >>> > >>> > Without intruding on the technical discussions, I hope this thread can >>> be an opportunity for us to step out of our comfort zone and look around. >>> > >>> > As a human data subject, I am cognizant and in control of only two >>> kinds of actors, user agents and services. The user agents are almost >>> exclusively a handful of web browsers, email clients, and apps duplicated >>> and sometimes synchronizing across two to four phones and computers. The >>> services (that I expect have visibility into my persona) are in a dozen >>> categories from banking and ISPs that I expect to be acting as fiduciaries >>> to platforms, social networks and other data brokers with their own agenda. >>> At this altitude, GNAP, DIDs, and ASs are as invisible as MAC addresses and >>> routers. >>> > >>> > Our success, from a human-centered perspective, will come indirectly >>> as a result of the GNAP Authorization Server. The user agents and service >>> providers I see (and sometimes choose) will support GNAP along with OAuth >>> and FIDO and Apple Sign-In as protocols. The common thing about these >>> protocols is that they coexist and overlap in incomprehensible ways made >>> even more obscure by DIDs, VCs, and self-issued identity providers (SIOP). >>> As we get to DIDcomm, even I get lost. >>> > >>> > My suggestion or proposal to our group is that we respect the human >>> perspective by doing our best to make the concept of an authorization >>> server relevant even if it remains hidden from view behind protocols like >>> GNAP and OAuth and data models like DID and VC. In doing this we would >>> recognize that a human's agent would likely support GNAP AS as well as >>> incumbent attribute management protocols. As a human, I just want my online >>> agent to work across as many user-agents and services as possible. As with >>> life partners or spouses, having more than one intelligent semi-autonomous >>> agent is not typically a benefit. >>> > >>> > My concrete suggestion is that GNAP define the AS as the entity or >>> actor that brings together the subject's policies, the capabilities granted >>> by services, and requests and serves up authorizations to the requesting >>> party. >>> > >>> > Adrian >>> > >>> > >>> > >>> > >>> > -- >>> > TXAuth mailing list >>> > TXAuth@ietf.org >>> > https://www.ietf.org/mailman/listinfo/txauth >>> >>> >>
- [GNAP] GNAP from a human-centered perspective Adrian Gropper
- Re: [GNAP] GNAP from a human-centered perspective Fabien Imbault
- Re: [GNAP] GNAP from a human-centered perspective Justin Richer
- Re: [GNAP] GNAP from a human-centered perspective Adrian Gropper
- Re: [GNAP] GNAP from a human-centered perspective Justin Richer
- Re: [GNAP] GNAP from a human-centered perspective Adrian Gropper
- Re: [GNAP] GNAP from a human-centered perspective Alan Karp