Human rights considerations are different form from privacy considerations to the extent they are universal and cannot be regulated or consented away. A fundamental protocol such as GNAP must therefore support human rights by default and not as an option or extension. The human rights considerations in this section are modeled after the list of privacy threats in {{RFC8280}}, "Research into Human Rights Protocol Considerations" and the most recent draft of Freedom of Association on the Internet. Although there is no human right specific to delegated authorization, in the IETF context we are using the work of HRPC and IRTF on freedom of association and assembly (FAA) for the purpose of risk analysis and suggested mitigations.
Experience with OAuth and related protocols like OpenID Connect has led to global platform oligopolies that are difficult to regulate and, when pressed, collaborate with governments that do not homor universal human rights. This unintended consequence of the authorization design is due to a combination of of resource server autonomy and resource user convenience. Resource servers, if allowed, will do as much surveillance as they can get away with or outsource that surveillance to platform intermediaries for a reduced operating cost. For their part, users will, almost without exception, choose the most convenient path to resource access even when that path exposes them to secondary costs or unintended risks.
It is therefore now common practice for a resource server to align their interest with an authorization server and often an identity provider as well. For example, a network effect ensues when a social network offers users "free" resource processing as long as they are also party to the resource control function and, for the most successful social networks, trusted as identity providers.
Effectively, the imposition of a an intemediary controller of a resource, is a violation of the human rights through forced association. The surveillance consequences of such imposition is an impediment to freedom of assembly. As with OAuth2 and UMA2, GNAP offers implementers of a resource server the choice to support freedom of assembly and association, but experience teaches us that resource servers will hardly ever make that choice.
GNAP gives the resource server a choice of authorization token formats. GNAP tokens don't have to support attenuated delegation. Without the capacity for attenuation, a resource owner is forced, in the human rights sense, to give the authorization server unrestricted control even when the resource owner is forced to associate with the authorization server.
If a resource owner avoids the use of a forced authorization server the consequences are also bad because the requesting party will be impersonating the resource owner leading to an unacceptable lack of accountability.
When a GNAP resource server provides capabilities that support attenuation the resource owner can use that capability directly without risking impersonation or the owner can delegate some of that capapbility to an authoriation server that they choose. This mitigation avoids the forced association problem but is effective in the real-world sense only if this is also the most convenient choice.
Aligning the incentives for FAA means that GNAP MUST or SHOULD require resource servers to support attenuated delegation and do so in a way that is interoperable across any chosen GNAP-labeled authorization server. A real-world example would be open banking regulations that separate the choice of bank as resource server from the choice of payment processor (e.g. credit card) as authorization server.
Optionality in authorization token formats can again result in de-facto platform network effects as the cost and complexity of authorization servers drives smaller delegates out of the market.
- Adrian
Sure. I'll send a note to the group.
--------------
Alan KarpOn Wed, Aug 10, 2022 at 8:17 AM Adrian Gropper <agro...@healthurl.com> wrote:Alan,I'm hoping to understand the interoperability aspects of capabilities in the GNAP context.AdrianOn Sun, Aug 7, 2022 at 3:20 PM Adrian Gropper <agro...@healthurl.com> wrote:Hi Alan,This is as far as I can get without your input on interoperability as well as strategic advice.TIA,Adrian