RFC010 multi vendor #23
Conversation
rfc/rfc010-multiple-operators.md
Outdated
|
|
||
| ## 3. Registration | ||
|
|
||
| Each care organization that is registered at a node by a SaaS provider will have its own DID document. If a care organization uses 2 SaaS providers, it'll have two different DID documents. Since identification within the OAuth flow is done by DID, the DID subject need to be aware of each other. This can be done by adding the DID of one document and add it to the other. This is done by using the `alsoKnownAs` field defined in the [core-did-spec](https://www.w3.org/TR/did-core/#also-known-as). |
There was a problem hiding this comment.
explain what is identified here, something like;
Since identification of the care organization within the OAuth flow
There was a problem hiding this comment.
Switched to subject and added subject to terminology
rfc/rfc010-multiple-operators.md
Outdated
|
|
||
| ## 3. Registration | ||
|
|
||
| Each care organization that is registered at a node by a SaaS provider will have its own DID document. If a care organization uses 2 SaaS providers, it'll have two different DID documents. Since identification within the OAuth flow is done by DID, the DID subject need to be aware of each other. This can be done by adding the DID of one document and add it to the other. This is done by using the `alsoKnownAs` field defined in the [core-did-spec](https://www.w3.org/TR/did-core/#also-known-as). |
There was a problem hiding this comment.
This can be done by adding the DID of one document and add it to the other
"adding the DID of one document" already implies implementation, so I'd use "referring" in this sentence, since the implementation is defined in the next sentence (using alsoKnownAs)
This can be done by having the DID documents of the SaaS providers refer to each other.
rfc/rfc010-multiple-operators.md
Outdated
|
|
||
| A DID subject that is added under the `alsoKnownAs` field is granted access to resources from the custodian. | ||
| In the case when the private key of the actor is compromised and the attacker is changing keys, the custodian SHOULD take appropriate action. | ||
| The node operator MUST remove a DID from the `alsoKnownAs` field when the `authentication` or `controller` field changes in the referenced DID document. |
There was a problem hiding this comment.
The node operator MUST remove a DID from the
alsoKnownAsfield when theauthenticationorcontrollerfield changes in the referenced DID document.
I find it a bit hard to read without a concrete example (say vendor Alice and Bob or A and B), but if I understand correctly if A refers to B's DID using alsoKnownAs, A MUST remove the alsoKnownAs referral to B when B changes its authentication or controller key, regardless there was an attack or not?
There was a problem hiding this comment.
That's correct and it's quite harsh. I'm not sure if it's needed. We should discuss it.
rfc/rfc010-multiple-operators.md
Outdated
| ## Multiple operator service access | ||
| ### Abstract | ||
|
|
||
| This RFC describes an addition to [RFC003](rfc003-oauth2-auithorization.md) and [RFC006](rfc006-distributed-registry.md) on how to handle resource access when a legal party has multiple node operators. This is the case when a care organization uses multiple pieces of software from different SaaS providers. A SaaS provider can alter the care organization DID document so the DID document of the other provider is added as synonym. This is done by using the *also-known-as* relation. |
There was a problem hiding this comment.
Perhaps elaborate the problem and solution here a bit more explicit. Talk about te trust relation between node provider and care provider. Than explicitly introduce the solution this RFC will be about:
This RFC introduces a solution where DID documents refer to each other using the also-known-as propertie.
rfc/rfc010-multiple-operators.md
Outdated
|
|
||
| ## 3. Registration | ||
|
|
||
| Each care organization that is registered at a node by a SaaS provider will have its own DID document. If a care organization uses 2 SaaS providers, it'll have two different DID documents. Since identification within the OAuth flow is done by DID, the DID subject need to be aware of each other. This can be done by adding the DID of one document and add it to the other. This is done by using the `alsoKnownAs` field defined in the [core-did-spec](https://www.w3.org/TR/did-core/#also-known-as). |
There was a problem hiding this comment.
Perhaps explain why each saas provider has their own DID document? I suspect it has to do with the coupling between document and services which are vendor specific?
| } | ||
| ``` | ||
|
|
||
| This is a unary relation. In the above example, `did:nuts:2` does not know anything about `did:nuts:1`. |
There was a problem hiding this comment.
So, why do we nog require the other document to point back?
There was a problem hiding this comment.
Why would we? Relations are unary in data transfer between custodian and actor. The custodian needs to trust the actor.
The other way around could be needed to signal the actor that there's data available on another node. That could be a recommendation not a necessity.
rfc/rfc010-multiple-operators.md
Outdated
|
|
||
| ## 4. Authentication | ||
|
|
||
| As defined in point 3 in [§6.2 of RFC003](rfc003-oauth2-auithorization.md#6-2-authorization), if the actor and custodian are the same, access is granted. If a custodian had added an actor in their DID document under the `alsoKnownAs` field, it MUST grant access as defined by point 3 in §6.2 of RFC003. Bolts MUST describe what resources may be accessed in this way and if user context is required. |
There was a problem hiding this comment.
The other document is just a number until it has VCs. Why not check fot those? This also prevents typos were the wrong documents are coupled and everything is mixed up.
There was a problem hiding this comment.
This spec only defines the underlying mechanism for authz/trust. Specifications of VC's could define the automatic additions of synonyms when data of the VCs match.
rfc/rfc010-multiple-operators.md
Outdated
|
|
||
| A DID subject that is added under the `alsoKnownAs` field is granted access to resources from the custodian. | ||
| In the case when the private key of the actor is compromised and the attacker is changing keys, the custodian SHOULD take appropriate action. | ||
| The node operator MUST remove a DID from the `alsoKnownAs` field when the `authentication` or `controller` field changes in the referenced DID document. |
There was a problem hiding this comment.
This all feels very error prone. I would like to hook in to existing processes like revoked VCs for example.
There was a problem hiding this comment.
This spec has nothing to do with VCs. This point was added to detect compromised DID Documents and protect the custodian automatically. Automatic synonyms via VCs could potentially mitigate the problem of user intervention.
There was a problem hiding this comment.
Will change node operator to node, since it's the software that should do it.
| @@ -0,0 +1,64 @@ | |||
| # RFC010 Multiple operator service access | |||
There was a problem hiding this comment.
I thing this document describes a specific subset where the care provider does not administers its own DID document. I think we should add that case here as well or make it explicit that it is about delegated identity.
There was a problem hiding this comment.
It's still valid for when an care organization manages its own keys. They will probably not use the functionality. The only thing this spec defines is that data MUST be accessible for DID subjects that refer to each other using the also-known-as property.
|
This mechanism poses a security risk through fishing. Giving access to data must be supported with a piece of crypto (VCs). The idea for creating synonyms is OK, but it must be done in a different way. |
RFC010 defines how a DID subject can authenticate with another DID subject when the DID subjects are, in fact, the same organization.
Closes #18