Description:
Alice manages all her personal health records in her personal
health data store at www.myhealth.example.com. Alice's Primary
Care Physician (PCP), which has a Web site at www.pcp.example.com
recommends her to see a sleep specialist
(www.sleepwell.example.com). Alice arrives at the sleep
specialist's office and authorizes it to access her basic health
data at her PCP's web site. The application at www.pcp.example.com
verifies that Alice has authorized www.sleepwell.example.com to
access her health data as well as enforces that
www.sleepwell.example.com is the only application that can
retrieve that data with that specific authorization.
Pre-conditions:
Post-conditions:
Requirements:
-- Chief Architect AIM: gffletch Identity Services Engineering Work: george....@teamaol.com AOL Inc. Home: gffl...@aol.com Mobile: +1-703-462-3494 Blog: http://practicalid.blogspot.com Office: +1-703-265-2544 Twitter: http://twitter.com/gffletch
An interesting use case, but it doesn't cover a second level of
sharing. Perhaps www.sleepwell.example.com is a broker for
contractors that do the actual work. As described here,
www.sleepwell.example.com has two ways to get the job done. The first
is to read Alice's data and forward it to sleepcontractor.example.org.
The second is to share its private signing key with
sleepcontractor.example.org Neither is particularly attractive. The
first means that www.sleepwell.example.com, which has no need to see
Alice's data, must see it in order to forward it. The second has the
effect of allowing sleepcontractor.example.org to sign for
www.sleepwell.example.com.
These problems wouldn't arise if the bearer token was the only proof
of authorization required. Then www.sleepwell.example.com could
forward the token to sleepcontractor.example.org, and
sleepcontractor.example.org could access the data directly. Alice
will hold www.sleepwell.example.com responsible for the access to her
data using this token. It's up to www.sleepwell.example.com to
penalize sleepcontractor.example.org for any violations.
There is no loss of security. Alice has no way to prevent
www.sleepwell.example.com from getting her data to
sleepcontractor.example.org by proxying requests or credential
sharing. Making the second level of sharing hard hurts Alice's privacy
(first solution) or www.sleepwell.example.com's security (second
solution).
There is a general principle behind all of this, the distinction
between "permission" and "authority," which is nicely described in
"Paradigm Regained" (http://www.erights.org/talks/asian03/).
Basically, what's described in the write-up grants
www.sleepwell.example.com "permission" to access Alice's data.
www.sleepwell.example.com uses its permission and behavior to grant
sleepcontractor.example.org "authority" to read Alice's data. Who
gets to do what depends on authority, not just permission.
--------------
Alan Karp
> _______________________________________________
> WG-UMA mailing list
> WG-...@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
>
>
_______________________________________________
WG-UMA mailing list
WG-...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
(Forgive me if I'm jumping into the middle of an ongoing discussion. I'm just starting to catch up after being busy with my actual job.) An interesting use case, but it doesn't cover a second level of sharing. Perhaps www.sleepwell.example.com is a broker for contractors that do the actual work. As described here, www.sleepwell.example.com has two ways to get the job done. The first is to read Alice's data and forward it to sleepcontractor.example.org. The second is to share its private signing key with sleepcontractor.example.org Neither is particularly attractive. The first means that www.sleepwell.example.com, which has no need to see Alice's data, must see it in order to forward it. The second has the effect of allowing sleepcontractor.example.org to sign for www.sleepwell.example.com.
These problems wouldn't arise if the bearer token was the only proof of authorization required. Then www.sleepwell.example.com could forward the token to sleepcontractor.example.org, and sleepcontractor.example.org could access the data directly. Alice will hold www.sleepwell.example.com responsible for the access to her data using this token. It's up to www.sleepwell.example.com to penalize sleepcontractor.example.org for any violations.
There is no loss of security. Alice has no way to prevent www.sleepwell.example.com from getting her data to sleepcontractor.example.org by proxying requests or credential sharing. Making the second level of sharing hard hurts Alice's privacy (first solution) or www.sleepwell.example.com's security (second solution).
There is a general principle behind all of this, the distinction between "permission" and "authority," which is nicely described in "Paradigm Regained" (http://www.erights.org/talks/asian03/). Basically, what's described in the write-up grants www.sleepwell.example.com "permission" to access Alice's data. www.sleepwell.example.com uses its permission and behavior to grant sleepcontractor.example.org "authority" to read Alice's data. Who gets to do what depends on authority, not just permission.
Hi Alan,
Some comments inline. I totally understand being "busy with my actual job"... I'm particularly swamped right now:)
On 1/28/11 6:38 PM, Alan Karp wrote:You are correct. I was not trying to solve that level of delegation. The main purpose of this use case is to show the value of signatures to OAuth (something that hasn't been excepted unanimously by the OAuth community:).(Forgive me if I'm jumping into the middle of an ongoing discussion. I'm just starting to catch up after being busy with my actual job.) An interesting use case, but it doesn't cover a second level of sharing. Perhaps www.sleepwell.example.com is a broker for contractors that do the actual work. As described here, www.sleepwell.example.com has two ways to get the job done. The first is to read Alice's data and forward it to sleepcontractor.example.org. The second is to share its private signing key with sleepcontractor.example.org Neither is particularly attractive. The first means that www.sleepwell.example.com, which has no need to see Alice's data, must see it in order to forward it. The second has the effect of allowing sleepcontractor.example.org to sign for www.sleepwell.example.com.
My problem with bearer tokens is that you lose the chain-of-trust. If www.sleepwell.example.com just passes its authorization token to sleepcontractor.example.com, then the access by sleepcontractor.example.com is indistinguishable from the access my www.sleepwell.example.com. In certain use cases, this is not acceptable. Also, if sleepcontractor.example.com is compromised, then the attacker can use any of the bearer tokens that it finds with out also having to find the corresponding token.These problems wouldn't arise if the bearer token was the only proof of authorization required. Then www.sleepwell.example.com could forward the token to sleepcontractor.example.org, and sleepcontractor.example.org could access the data directly. Alice will hold www.sleepwell.example.com responsible for the access to her data using this token. It's up to www.sleepwell.example.com to penalize sleepcontractor.example.org for any violations.
It is true that www.sleepwell.example.com could get all necessary data and then pass it along to sleepcontractor.example.com (or use credential sharing). I'm not sure I follow why what's described "hurts" Alice's privacy. Alice is releasing her information to www.sleepwell.example.com not to sleepwell's contractor.There is no loss of security. Alice has no way to prevent www.sleepwell.example.com from getting her data to sleepcontractor.example.org by proxying requests or credential sharing. Making the second level of sharing hard hurts Alice's privacy (first solution) or www.sleepwell.example.com's security (second solution).
If I have a contract with a brokerage firm or bank and they sub-contract out the handling of my account with some other company, I currently don't have any control over that other than to switch brokerage firms. When I give my SSN to the brokerage firm, they may give the data to a contractor, but the "contract" or implicit agreement is between me and the brokerage firm.
I would rather a model where www.sleepwell.example.com would request scoped tokens for it's contractors such that the token explicitly identifies the contractor and it's relationship to www.sleepwell.example.com. This keeps the relationships clear as data traverses amongst the different servers.
I'm fine with this model as long as www.sleepwell.example.com explicit requests a special token (based on it's granted permission) for each contractor that provides that contractor with just the authority that it needs. I believe that in certain use cases, it must be possible to prove that the token presented is presented by the party it was issued to. A bearer token does not carry this semantic.There is a general principle behind all of this, the distinction between "permission" and "authority," which is nicely described in "Paradigm Regained" (http://www.erights.org/talks/asian03/). Basically, what's described in the write-up grants www.sleepwell.example.com "permission" to access Alice's data. www.sleepwell.example.com uses its permission and behavior to grant sleepcontractor.example.org "authority" to read Alice's data. Who gets to do what depends on authority, not just permission.