solid / data-interoperability-panel

Repository for the Solid Data Interoperability Panel
MIT License
51 stars 19 forks source link

Integrity of `skos:preflabel` and `skos:prefdefinition` #276

Open tomhgmns opened 2 years ago

tomhgmns commented 2 years ago

We are currently implementing the interop spec into use.id, but are concerned about relying on skos:preflabel and skos:prefdefinition of the Access Need Groups to render the UI of the authz agent.

This is because a malicious party might create a mismatch between those two fields and the actual access requests.

For example, I could present the following access needs group:

Has the panel considered this situation?

We are thinking to solve this issue by putting a human readable name at the shape tree itself...

justinwb commented 2 years ago

Yes this scenario was considered and has been solved already in the shape tree specification. The shape tree definition includes a similar description of what the data is. So regardless of what the access need description is, the data that is being requested is always present it based on the shapetree definition. On Sep 8, 2022, 7:38 AM -0400, Tom Haegemans @.***>, wrote:

We are currently implementing the interop spec into use.id, but are concerned about relying on skos:preflabel and skos:prefdefinition of the Access Need Groups to render the UI of the authz agent. This is because a malicious party might create a mismatch between those two fields and the actual access requests. For example, I could present the following access needs group:

• skos:preflabel: "Read access to your shopping history" • In reality, my app asks permission to read my medical data

Has the panel considered this situation? We are thinking to solve this issue by putting a human readable name at the shape tree itself... — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

tomhgmns commented 2 years ago

Thanks for the answer, Justin! We'll rely on the ShapeTree definition then!

elf-pavlik commented 2 years ago

Great timing @tomhgmns I'm also implementing it and today should have all the code ready, that combines human-readable information from access need descriptions and shape tree descriptions. I plan to push that code down to sai-js as soon as it fits the need of the authorization agent.

elf-pavlik commented 2 years ago

I'll look into adding what we have discussed here into the Security Considerations section.