0.6 protocol migration: Signed Data Model #56
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kevinr
reviewed
Oct 26, 2022
Co-authored-by: Kevin Riggle <[email protected]>
this ensures that the `kid` an the `iss` claim match Co-authored-by: Kevin Riggle <[email protected]>
added 6 commits
November 3, 2022 12:21
has it been a year already
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This protocol revision moves towards a more robust security model briefly described in #54, the first part of a slow migration towards integrating some of our oldest feedback in #4 having come full circle on OIDC, OAuth2, and back to asymmetric signatures for the entire Data Rights Request. This builds on the research that @kevinr has been developing with us and the partner companies over the last few months.
In short, the entire Data Rights Request submitted in
POST /exercisewill be wrapped in a signed body. For now that envelope will continue to be an RFC 7515 JWT, but we are evaluating a move to https://doc.libsodium.org/ in coming protocol revisions. The core of this diff is thus a signed data model of a flattened Data Rights Request described in section 2.02 wrapped in JWT signed by asymmetric keysThe up-shot of this data model is that all
POSTrequests to the API eventually will be signed by a private key, and the "service directory" we have been mulling over can simply be a mapping of "authorized agent key id" (thekidparameter inPOST /exercise) to the public key of the authorized agent, and there is no need for pair-wise API key exchange.In line with work that @dazzaji is preparing for the initial "public" version of the system rules, i've taken some liberties to clarify the Identity Verification systems within the technical specification -- to say that we haven't actually spent much time on the dynamic
need_user_verificationflow and that the initial IDv pipeline will be much simpler.There is a short list of work that needs to be addressed before a 0.6 is ready for full consideration:
I plan to tackle these in this diff:
POST /revokeshould be re-written to accept signed requestGET /statusauthentication needs to be modeled, at least discussed. This is the major shortcoming of the signed data model in my eyes but maybe we can come up with a model that works for this. We could make this a POST but that doesn't feel "rest-y" but i am not sure i care.These will be added before 0.6 is tagged:
I did a pretty brash pass-through of this document and nipped-and-tucked some other confusing stuff like the distinction between the actors and the interfaces (#55)... i should have done this in a number of diffs, but stacking markdown diffs on github is worse than a visit to the dentist so this is what we get for the first revision.