search

KantaraInitiative / wg-uma

This is the repository of all specifications related to the User Managed Access Group
http://kantarainitiative.org/confluence/display/uma/
Other
28 stars 21 forks source link

Sharpen the extensibility profiles #124

Closed xmlgrrl closed 9 years ago

xmlgrrl commented 9 years ago

Roland has suggested that we get the extensibility profiles out of the business of describing what the two entities would do in interacting, and instead spend more time talking about the relevant security and privacy considerations. I wrote up a sample attempt based on our discussion. He'd still like to see the embedded list of interaction opportunities go away. Let's discuss...

This section defines a profile for UMA where the authorization server and resource server roles either reside in the same system entity or otherwise have a privileged communications channel between them. Following is a summary:

• Identifying URI: https://docs.kantarainitiative.org/uma/profiles/prot-ext-1.0
• Profile author and contact information: Mark Dobrinic (mdobrinic@cozmanova.com)
• Updates or obsoletes: None; this profile is new.
• Security considerations: See below.
• Privacy considerations: See below.
• Error states: See below.

Using this profile, the resource server MAY use means other than the HTTP-based protection API that is protected by TLS and OAuth (or an OAuth-based authentication protocol) to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The following list of interaction opportunities is a non-exhaustive sample:

• [the list would change per profile -- I've softened it and taken out all the MAYs] The mechanism of PAT issuance (though issuance is still REQUIRED)
• Resource set registration or configuration
• Registration or configuration of requested permissions
• RPT introspection or examination
• Error state generation and reporting at any level

Interactions with entities other than the authorization server or resource server MUST be preserved exactly as they would have if either of them were standalone, unless other extensibility profiles are also in use.

An authorization server using any of the opportunities afforded by this profile MUST declare use of this profile by supplying its identifying URI for one of its "uma_profiles_supported" values in its configuration data (see Section 1.4).

Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a Constrained Application Protocol (CoAP)-based UMA profile.

Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.

agropper commented 9 years ago

This sounds like a privacy disaster. As soon as we open the possibility for resource servers to avoid a public and standardized API we create a loophole to avoid person-managed consent that you can drive an aircraft carrier through. The whole point of UMA from my perspective is to give a person-managed AS a fair shot at RS APIs.

This compromise in privacy is an existential threat to what we're trying to do.

Adrian

On Sun, Jan 4, 2015 at 9:57 PM, Eve Maler notifications@github.com wrote:

Roland has suggested that we get the extensibility profiles out of the business of describing what the two entities would do in interacting, and instead spend more time talking about the relevant security and privacy considerations. I wrote up a sample attempt based on our discussion. He'd still like to see the embedded list of interaction opportunities go away. Let's discuss...

This section defines a profile for UMA where the authorization server and resource server roles either reside in the same system entity or otherwise have a privileged communications channel between them. Following is a summary:

• Identifying URI: https://docs.kantarainitiative.org/uma/profiles/prot-ext-1.0 • Profile author and contact information: Mark Dobrinic (mdobrinic@cozmanova.com) • Updates or obsoletes: None; this profile is new. • Security considerations: See below. • Privacy considerations: See below. • Error states: See below.

Using this profile, the resource server MAY use means other than the HTTP-based protection API that is protected by TLS and OAuth (or an OAuth-based authentication protocol) to communicate with the authorization server in all respects, including using software interfaces and methods rather than network interfaces and APIs. The following list of interaction opportunities is a non-exhaustive sample:

• [the list would change per profile -- I've softened it and taken out all the MAYs] The mechanism of PAT issuance (though issuance is still REQUIRED) • Resource set registration or configuration • Registration or configuration of requested permissions • RPT introspection or examination • Error state generation and reporting at any level

Interactions with entities other than the authorization server or resource server MUST be preserved exactly as they would have if either of them were standalone, unless other extensibility profiles are also in use.

An authorization server using any of the opportunities afforded by this profile MUST declare use of this profile by supplying its identifying URI for one of its "uma_profiles_supported" values in its configuration data (see Section 1.4).

Same-entity communication or a tight integration of entities has the opportunity to make deployments more secure by reducing possible attack vectors. However, if the entities do not use TLS but communicate across a transport layer, it is RECOMMENDED to use an alternate means of transport-layer security, for example, using DTLS in the case of a Constrained Application Protocol (CoAP)-based UMA profile.

Same-entity communication or a tight integration of entities has the potential to compromise privacy by promoting the freer exchange of personal information within a deployment ecosystem. It is RECOMMENDED to account for privacy impacts in each deployment scenario.

— Reply to this email directly or view it on GitHub https://github.com/xmlgrrl/UMA-Specifications/issues/124.

Adrian Gropper MD Ensure Health Information Privacy. Support Patient Privacy Rights. http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/

xmlgrrl commented 9 years ago

Most (all?) patient-centric health data ecosystems are loosely coupled and will tend to require the separation baked into the default UMA AS/RS/client design, but we've been finding that quite a few deployment ecosystems are narrow in focus, where some of the entities are run exclusively by the same company. In these cases, it makes no sense to force them to go through HTTP when it’s the same hunk of software communicating with itself, while there are still benefits to using UMA in the rest of the orbit. This is why we invented the extensibility profiling mechanism: to scope down the amount of security/privacy/interop "monkey business” an entity can get away with in one sphere, while forcing it to act properly in all the other spheres.

You can see one analogous example in federated identity systems, when federation is used internally in companies to achieve SSO inside their “four walls” when the company owns multiple web properties. E.g., you use an amazon.com login to get into Amazon Fresh, Amazon Prime, etc. Naturally, Amazon has visibility into both the IdP and all the SPs.

Another thought: The new wording I proposed gives the example of IoT protocols (CoAP and DTLS). This profiling mechanism is also a mechanism for binding the UMA protocol to different underlying non-HTTP transports, while keeping it as loosely coupled as it is now. That may be something we want to mention explicitly, since it's a rationale that's not about tight coupling but about non-HTTP binding.

agropper commented 9 years ago

I'm not worried about auth within a legal liability domain.

I'm terrified about b2b data brokers and private networks between separate legal entities. Anything we do that allows for these dark networks to continue will marginalize UMA to the b2c ghetto with only a fraction of the resources online that are accessible over the dark network.

Simply put, we encourage the RS to register all private information (even de-identified individual data) that can be shared as an UMA resource with some standard UMA AS. That way, only policy stands in the way of scaling UMA to 21st century interop. If we do that, accountability and compliance will drive UMA adoption. If we don't, competition with the dark networks will limit the network effect for UMA adoption.

Adrian

On Sun, Jan 4, 2015 at 11:34 PM, Eve Maler notifications@github.com wrote:

Most (all?) patient-centric health data ecosystems are loosely coupled and will tend to require the separation baked into the default UMA AS/RS/client design, but we've been finding that quite a few deployment ecosystems are narrow in focus, where some of the entities are run exclusively by the same company. In these cases, it makes no sense to force them to go through HTTP when it’s the same hunk of software communicating with itself, while there are still benefits to using UMA in the rest of the orbit. This is why we invented the extensibility profiling mechanism: to scope down the amount of security/privacy/interop "monkey business” an entity can get away with in one sphere, while forcing it to act properly in all the other spheres.

You can see one analogous example in federated identity systems, when federation is used internally in companies to achieve SSO inside their “four walls” when the company owns multiple web properties. E.g., you use an amazon.com login to get into Amazon Fresh, Amazon Prime, etc. Naturally, Amazon has visibility into both the IdP and all the SPs.

Another thought: The new wording I proposed gives the example of IoT protocols (CoAP and DTLS). This profiling mechanism is also a mechanism for binding the UMA protocol to different underlying non-HTTP transports, while keeping it as loosely coupled as it is now. That may be something we want to mention explicitly, since it's a rationale that's not about tight coupling but about non-HTTP binding.

— Reply to this email directly or view it on GitHub https://github.com/xmlgrrl/UMA-Specifications/issues/124#issuecomment-68667542 .

Adrian Gropper MD Ensure Health Information Privacy. Support Patient Privacy Rights. http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/

xmlgrrl commented 9 years ago

If there is a "wide ecosystem" in which the public interfaces are in use, I believe the existence of the extensibility profiles in the spec alone will not encourage dark networks of personal data. The purpose of the profiles, again, is to require formal declaration that they're in use, and fine-grained parceling out of which parts of UMA are being stepped back from. Specific trust frameworks can even bar their use, and AS configuration data can then be checked to see if they contain the banned profiles.

In any case, those parties could simply use some other non-UMA interface and business relationship to achieve their goals, so it's once again a matter of business imperatives (and regulations) whether the undesirable scenario comes about.

rohe commented 9 years ago

I’m completely behind Eve on this.

5 jan 2015 kl. 05:53 skrev Eve Maler notifications@github.com:

If there is a "wide ecosystem" in which the public interfaces are in use, I believe the existence of the extensibility profiles in the spec alone will not encourage dark networks of personal data. The purpose of the profiles, again, is to require formal declaration that they're in use, and fine-grained parceling out of which parts of UMA are being stepped back from. Specific trust frameworks can even bar their use, and AS configuration data can then be checked to see if they contain the banned profiles.

In any case, those parties could simply use some other non-UMA interface and business relationship to achieve their goals, so it's once again a matter of business imperatives (and regulations) whether the undesirable scenario comes about.

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard

agropper commented 9 years ago

I trust Eve and the group completely on this as well. I just wanted to highlight this for your consideration.

Adrian

On Mon, Jan 5, 2015 at 7:21 AM, Roland Hedberg notifications@github.com wrote:

I’m completely behind Eve on this.

5 jan 2015 kl. 05:53 skrev Eve Maler notifications@github.com:

If there is a "wide ecosystem" in which the public interfaces are in use, I believe the existence of the extensibility profiles in the spec alone will not encourage dark networks of personal data. The purpose of the profiles, again, is to require formal declaration that they're in use, and fine-grained parceling out of which parts of UMA are being stepped back from. Specific trust frameworks can even bar their use, and AS configuration data can then be checked to see if they contain the banned profiles.

In any case, those parties could simply use some other non-UMA interface and business relationship to achieve their goals, so it's once again a matter of business imperatives (and regulations) whether the undesirable scenario comes about.

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard

— Reply to this email directly or view it on GitHub https://github.com/xmlgrrl/UMA-Specifications/issues/124#issuecomment-68701077 .

Adrian Gropper MD Ensure Health Information Privacy. Support Patient Privacy Rights. http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/

xmlgrrl commented 9 years ago

Implemented in Core rev 11 as agreed in UMA telecon 2015-01-05.