justinwb
commented
1 year ago Yes this scenario was considered and has been solved already in the shape tree specification. The shape tree definition includes a similar description of what the data is. So regardless of what the access need description is, the data that is being requested is always present it based on the shapetree definition. On Sep 8, 2022, 7:38 AM -0400, Tom Haegemans @.***>, wrote:
We are currently implementing the interop spec into use.id, but are concerned about relying on skos:preflabel and skos:prefdefinition of the Access Need Groups to render the UI of the authz agent. This is because a malicious party might create a mismatch between those two fields and the actual access requests. For example, I could present the following access needs group:
• skos:preflabel: "Read access to your shopping history" • In reality, my app asks permission to read my medical data
Has the panel considered this situation? We are thinking to solve this issue by putting a human readable name at the shape tree itself... — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>
tomhgmns
elf-pavlik
We are currently implementing the interop spec into use.id, but are concerned about relying on
skos:preflabelandskos:prefdefinitionof the Access Need Groups to render the UI of the authz agent.This is because a malicious party might create a mismatch between those two fields and the actual access requests.
For example, I could present the following access needs group:
skos:preflabel: "Read access to your shopping history"Has the panel considered this situation?
We are thinking to solve this issue by putting a human readable name at the shape tree itself...