-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Distinction between policies which can be enforced by technology and by law #286
Comments
I'd like to note that by simply not granting some user When for example Data Grant have such policy attached. When grantee tries to delegate it, their Authorization Agent can warn them about the fact that this would break policy set by the Resource Owner who granted them access. |
Just to point out that with OAC (w3id.org/oac), you can already communicate/create a policy that states that sharing with others is prohibited, e.g.,
Full example here. However the |
Thank you @besteves4
I'm making a case here that many policies can NOT be enforced technologically. For example, once we have given someone access we can't truly prevent them from sharing it further. It seems pretty straight forward to create proxy which would enable sharing one's access using impersonation approach. I think in general, any policies that apply after a request for a protected resource has been made and access has been granted, can be only enforced through legal means. I see scenarios where after detecting that policy has been violated future access could be revoked. In that case, an enforceable access policy would be probably just based on the simple identity of an agent whose violation has been detected. We possibly could support annotating such a new policy for that specific agent with information about the prior violation of another general policy as the reason for their access being revoked. |
This comment has been minimized.
This comment has been minimized.
Hi. IMHO - "technological control" is entirely based on what the environment provides or makes possible. For the current Solid spec, this is controlling whether someone can read/write/modify/erase data - and only this. There is no "technological contorl" for why someone may want to read/write that data i.e. its purpose. For example, if an app wants to read your contacts (data) to help with sending an email (purpose) - then the only way to technologically enforce or at least control this is to assert the purpose alongside the access request. In this case, The only method for completely controlling the purpose would be to set up a trusted execution environment where that purpose is implemented. Otherwise there is always a degree of trust that is needed in the app/service doing only what it says is doing. There is always legal enforceability, but IMHO technology should assist with it by providing accountability artefacts (e.g. policies accepted, logs recorded). Which is why I argue for reflecting technological designs to be compatible with legal requirements to make such tasks easier. Here is an article where we argue for why there should be user-side stored logs and (authenticated) receipts to provide accountability where it is not always possible to control all the execution - https://doi.org/10.1109/ACCESS.2022.3157850 Its about consent, but you can consider this to be applicable to any decision - including providing apps with certain authorisations. This means storing the decision made (e.g. which permissions to whom for what purpose) as well as the actions (e.g. app read data for stated purpose) - and through these enabling legal/technical/other forms of accountability. |
A while ago we had discussion around https://protect.oeg.fi.upm.es/odrl-access-control-profile/oac.html
I was emphasizing that many of ODRL policies can be enforced by technology, lead to access denied, they can only be enforced by legal action. I think we should provide distinct ways to express policies based on how they can get enforced.
Interesting example here would problems related to
acl:Control
access mode. While Resource Owner setting policies using this mode may get impression that it will prevent users withoutacl:Control
to share their access, I would consider such thinking as naive.In Delegation use case i list various pretty straight forward way how someone without
acl:Control
access can still fully share their access by using impersonation pattern. It may be clearer if policies restricting delegation are set as one that can be enforced by law not by technology. I think we may ended up with this naive notion of security associated withacl:Control
because we didn't provide way to express policies which are not enforceable by technology.TODO
The text was updated successfully, but these errors were encountered: