Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consent envelopes in Solid #37

Open
bjdmeest opened this issue May 23, 2022 · 4 comments
Open

Consent envelopes in Solid #37

bjdmeest opened this issue May 23, 2022 · 4 comments
Labels
challenge technical problem applied to a use case proposal: approved ✅ topic: security

Comments

@bjdmeest
Copy link

bjdmeest commented May 23, 2022
edited

Only shoe shops can see my shoe size

Pitch

Consent flows in Solid are currently underdeveloped: it's not fully clear how authorized data processing stays in line the with the given permissions, i.e., is trustworthy. For example: I want to share my shoe size with all shoe shops (but not all shops!)

Desired solution

  • A consent service that manages and clears my consent envelopes
  • A consent app that helps me manage my consent envelopes, i.e., where I can manage rules like "all ?x of type :shop that :sells :shoes can access pod.bjmeest.com/shoeSize", which get stored in the consent service

Acceptance criteria

  • In my consent app, I specify that the resource containing my current shoe size can be accessed by all verified shoe shops in Belgium
  • After I log into "The Nice Little Shoe Shop" app, the app goes via my consent service to ask for permission to get my shoe size. the consent service verifies the request, and clears the consent
  • "The Nice Little Shoe Shop" app can directly access my shoe size and personalize its service
  • After I log into "The Malicious Huge Dark Shoe Shop" app, the app goes via my consent service to ask for permission to get my shoe size. the consent service verifies the request, and sees that this shop is not a Belgian verified shoe shop so cannot access my shoe size. I can still use the app, but not personalized.

Pointers

  • TBD how much more you need on top of ACP rules with extended matchers (that translates to 'default' ACP rules in the solid pod?)
  • TBD how much 'legal' stuff is needed, or we can resort to something like Verifiable Credentials to make sure every processing request is OK

I could change the use case to 'only share blood pressure measurements with verified medical staff', but that has an additional step propably: first verify the hospitals/medical companies, then its staff
@bjdmeest bjdmeest added challenge technical problem applied to a use case proposal: pending ❓ topic: security labels May 23, 2022
@RubenVerborgh RubenVerborgh self-assigned this Jun 4, 2022
@RubenVerborgh RubenVerborgh removed their assignment Jun 24, 2022
@pheyvaer
Copy link
Contributor

pheyvaer commented Aug 2, 2022

@RubenVerborgh What changes do you want to see here?

@RubenVerborgh
Copy link
Contributor

For one of the cases to be fully fleshed out (or two cases, but then it would likely be a separate challenge).

@pheyvaer
Copy link
Contributor

pheyvaer commented Sep 2, 2022

@bjdmeest Can you implement the aforementioned changes?

@bjdmeest
Copy link
Author

Yes, implemented!

@pheyvaer pheyvaer assigned RubenVerborgh and unassigned bjdmeest Sep 12, 2022
@RubenVerborgh RubenVerborgh removed their assignment Sep 15, 2022
@marcvanandel marcvanandel mentioned this issue Oct 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
challenge technical problem applied to a use case proposal: approved ✅ topic: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bjdmeest @RubenVerborgh @pheyvaer