A Protocol for

Decentralized Authorization

W3C CCG Presentation

Adrian Gropper, MD

November 12, 2019

1

2

MVP = Minimum Viable Protocol for Decentralized Authorization

DID and VC for Alice to Bob Protocols

Alice-to-Bob Examples

  • School
  • Hospital
  • Social Media
  • Dating Service
  • Ride Service

vs. Alice-to-Alice

  • Personalization
  • Netflix, Toyota, Nike, Wells Fargo, Expedia

Alice-to-Bob Decentralization is Hard

  • Reputation
  • Search
  • Transactions
  • Network effect / centralization benefit vs. Context for a decentralized platform

3

Decentralized IDentifiers and Verifiable Credentials are W3C standards-track projects for self-sovereign ID

M V Protocol: Connects three separate entities

4

Storage

Alice’s Agent

Bob’s Agent

MVP

M V Protocol: Connects three separate entities

5

Storage

Alice’s Agent

Bob’s Agent

MVP

Resource Owner’s Authorization Server

Requesting Party’s Client

Resource Server

M V Protocol Sequence

Resource Server (RS) publishes scopes

  • Resource Owner (RO) authenticates to RS
  • RS registers RO agent’s service endpoint
  • Requesting Party (RqP) agent presents:
    • Credentials
    • Scope Request
    • Intended Use
  • RO agent serves authorization to RqP agent
  • RS executes scope of authorization to RqP client, or (optionally) notifies RO agent

6

1

2

3

4

5

RO

RqP

RS

M V Protocol Sequence in Self Sovereign ID Terms

Resource Server (RS) publishes scopes

  • Issuer (RO) has trusted root to RS
  • Verifier RS accepts RO signature as valid
  • Data Subject (RqP) Holder presents:
    • Credentials
    • Scope Request
    • Intended Use / Terms of Use
  • Issuer serves credential to Holder
  • Verifier executes scope of authorization to RqP Holder, or (optionally) notifies Issuer of Terms of Use violation

7

1

2

3

4

5

RO

Issuer

RqP

Holder

RS

Verifier

Two kinds of standard storage API

Cloud Agent to Storage (“Vault”)

  • Alice may not need an Edge Agent
  • Bob always finds Alice’s agent online
  • Bob always has to ask Alice
  • Alice’s service provider chooses storage
  • Storage is (typ) a GDPR Data Processor
  • Storage functionality is relatively simple
  • Storage providers don’t help SSI adoption

Edge Agent to Storage (“Hub”)

  • Alice doesn’t need a Cloud Agent
  • Bob may find Alice’s agent online
  • Bob can deal more efficiently with storage
  • Alice chooses storage
  • Storage is (typ) a GDPR Data Controller
  • Storage functionality is more complex
  • Storage providers can speed SSI adoption

8

Other MVP Issues

  • Bob’s agent is often different from Bob’s client
  • Bob may want to delegate to Carol as RqP
  • Storage may need to notify Alice if authorization is not honored
  • Storage SHOULD support HTTPS
  • Alice-to-Alice SHOULD work with Alice’s edge or cloud agent
  • Scope standards, registries, context, add complexity

9

Thank you!

10

Adrian Gropper

CTO

Patient Privacy Rights

agropper@patientprivacyrights.org

A Protocol for Decentralized Authorization - Google Slides