To keep #187 focused on Trusted Grants/Consents I will focus on delegation chains here. Currently, we only use delegation where end-user delegates access to data someone else owns, to applications they want to use to exercise that access. Currently, we still do not clarify how storage hosting the data gets hold of and verifies the validity of that delegated grant!
Longer delegation chains will allow social agents to delegate to other social agents. This will also not require the usage of access modes like acl:Control.
Delegated Data Grant would still apply here. We pretty much only need to specify the mechanism to register delegation upstream. I will propose one of the possible approaches but we should evaluate other approaches as they get proposed.
Each Data Grant and Delegated Data Grant would get a dedicated resource to capture its downstream delegation chain. For example given snippet:
Notice last statement interop:hasDelegationChainIn auth-omni-acme-reg:e401fa27 . Grantee's authorization agent would have access to that resource and use it to reference all the downstream delegations.
In other words, each Delegated Data Grant keeps track of the downstream part of the chain.
This approach would also require that data owner gets access to every Delegated Data Grant in the chain. So Omni's authorization agent based on auth-omni-acme-reg:e401fa27 can fetch and cache all the Delegated Data Grants.
To keep #187 focused on Trusted Grants/Consents I will focus on delegation chains here. Currently, we only use delegation where end-user delegates access to data someone else owns, to applications they want to use to exercise that access. Currently, we still do not clarify how storage hosting the data gets hold of and verifies the validity of that delegated grant!
Longer delegation chains will allow social agents to delegate to other social agents. This will also not require the usage of access modes like
acl:Control
.Delegated Data Grant would still apply here. We pretty much only need to specify the mechanism to register delegation upstream. I will propose one of the possible approaches but we should evaluate other approaches as they get proposed.
Each Data Grant and Delegated Data Grant would get a dedicated resource to capture its downstream delegation chain. For example given snippet:
Notice last statement
interop:hasDelegationChainIn auth-omni-acme-reg:e401fa27 .
Grantee's authorization agent would have access to that resource and use it to reference all the downstream delegations.ACME's authorization agent would add the first statement when the Delegated Data Grant gets generated
And the second one once Kim's authorization agent registers the delegation made by Kim:
In other words, each Delegated Data Grant keeps track of the downstream part of the chain.
This approach would also require that data owner gets access to every Delegated Data Grant in the chain. So Omni's authorization agent based on
auth-omni-acme-reg:e401fa27
can fetch and cache all the Delegated Data Grants.