Open OR13 opened 3 years ago
The point of this section seems to be:
"Identity Hubs are a formulation of Encrypted Datastores .... wherein a developer of an application or service stores the data for a Subject with that Subject, in their Identity Hub, instead of in a traditional centralized location owned and controlled by a third-party."
It is understood that the "application or service" is processing data rather than just storing it, otherwise, the EDV section would be sufficient. As a processor, the (application or) service has access to data in the clear. (I'm ignoring secure multi-party computation and such in this response. Please raise a separate issue if you want to deal with that.)
The issue, from the perspective of the Subject (of the "identity hub") is not where the storage is hosted but who controls access the contents of the storage. For example, as a Subject, I might self-host storage in my closet and expose that to to various Services to use but it would hardly protect me form these services having their way with my data.
This issue is nicely discussed from the perspective of service providers in the context of the Uniform Law Commission Committee (where I'm an 'observer') Main Street Privacy Coalition to: Collection and Use of Personally Identifiable Data Drafting Committee where they explain the need for separation of concerns and effective regulation of platforms that combine multiple concerns.
Therefore, I strongly object to the proposed section on Identity Hubs as part of the spec and seek to have it removed entirely.
If it's within scope to specify a separate layer above the EDV access authorization, that layer must preserve the separation of concerns between policy decision points and the policy enforcement point. If we choose to specify this upper layer, we should also consider how auditing will be done in order to detect security breaches at the policy enforcement point if the PEP controls access to data in the clear.
My proposed solution to 'processing data in the clear' would be to define the authorization protocol that gives substantially all control to an agent of the Subject as the policy decision point. I don't know if that means a separate layer above the EDV or a parallel specification at the same layer as the EDV. That's related to VCs - zCaps / OCap a Discussion.
@agropper "It is understood that the "application or service" is processing data rather than just storing it, otherwise, the EDV section would be sufficient. As a processor, the (application or) service has access to data in the clear." - the vast majority of data that will flow through Identity Hubs (down into EDVs) is encrypted, and the Hub has no access to it. The only data that is send to a Hub in plaintext is an intended-public object like a publicly declared Tweet, that the Hub has no special access to - it's literally just hosting data like you would when you post blog entries for everyone to read.
Obviously it would be folly to remove the most useful, high value portion of the specification that represents what the vast majority of application and services developers need to begin creating apps that rely on the user's own personal datastore as their backing data storage mechanism. For this reason, I can't even fathom why we would make the spec relatively useless to the vast majority of valuable use cases by removing it.
@csuwildcat I maintain that the management of intended-public objects should have absolutely nothing to do with the Confidential Storage specification.
However, I would support adding a section about implementation guidance somewhere that tells people how they might set up a searchable directory of intended-public objects and what, if anything about that directory relates to the normative aspects of the Confidential Storage spec.
For example, when we decide to specify the authorization protocol for access to an EDV, we could mention that we recommend that directory creators support the same protocol so that the same data controller can interact with both EDV and intended public-object directories.