Human-Centered Protocols
and
Zero Trust Architecture
Adrian Gropper
December 28, 2020
Contents
3
Guardian
Persona’s Agent (AS)
Secure User Agent (RO)
Encrypted Data Vault
chosen* by RO
Service Provider (SP)
Encrypted Data
Vault
chosen* by SP
Requesting Party
Secure User Agent (RQ)
Institutional Client (RC)
Note: The roles of RO, RQ, AS, SP, and RC are defined per IETF GNAP.
The protocol connecting the roles may be GNAP or other.
* Chosen in the sense that bill is paid and encryption key was / is known.
4
Guardian
Persona’s Agent (AS)
Secure User Agent (RO)
Encrypted Data Vault
chosen by RO
Service Provider (SP)
Encrypted Data
Vault
chosen by SP
Requesting Party
Secure User Agent (RQ)
Institutional Client (RC)
Note: The roles of RO, RQ, AS, SP, and RC are defined per IETF GNAP.
The protocol connecting the roles may be GNAP or other.
use this blank to create new slides and labels
5
A1 - New Identity Proof
Biometric Unlock
Choose Authenticator
Holder
Attribute Presentation
Issuer’s
Attribute Presentation / Revocation
New Relying Party
Authority
- Proof
- De-duplicate
- Audit
6
A2 - Single Sign-On
Biometric Unlock
Choose Authenticator
Holder
Attribute Presentation
Issuer
Attribute Presentation
Relying Party
7
Guardian
Persona’s Agent (AS)
Secure User Agent (RO)
Encrypted Data Vault
chosen by RO
Service Provider (SP)
Encrypted Data
Vault
chosen by SP
Requesting Party
Secure User Agent (RQ)
Institutional Client (RC)
Note: The roles of RO, RQ, AS, SP, and RC are defined per IETF GNAP.
The protocol connecting the roles may be GNAP or other.
A3 - Initialize a Persona
- Unlock
- New Persona
- Inherit Policy
Choose Wallet
- New AS Instance
- Create DID
Update AS Policy Store
8
A4 - New Service Registration
- Unlock
- Choose Persona
- Manage Policy
Choose Wallet
- Create DID
- Register as new customer
- Register AS
- Update AS Policy Store
9
B1 - Service Request
- Get Request
- Eval Policy
- Issue Authorization
- Verify Auth’z
- Share Resource
- Enable Audit
- Update Policy Store
- Log Transaction Docs
Choose Wallet
- Unlock
- Present Claims
- Compose Request
- Present Authorization
- Access Resource
- Log Transaction Docs
- Update Resource Store
- Log Transaction Docs
- Audit Access
- Share Transaction Proof
10
B2 - Delegate Resource Access
- Eval Scoped Auth’z
- Eval Exceptions
- Verify Auth’z
- Share Resource
- Enable Audit
- Log Transaction Docs
Choose Wallet
- Unlock
- Reduce Scope
- Share Deleg’n
- Present Authorization
- Access Resource
- Log Transaction Docs
- Update Resource Store
- Log Transaction Docs
- Audit Access
- Share Transaction Proof
Choose Wallet
- Unlock
- Present Claims
- Accept Auth’z
11
Wallet Functions
- Biometric Lock
- (Single Sign-On) Authentication
- Non-repudiable Signature
- Recovery
- Redundancy
- Offline Functionality
- EDV Control
- AS Control
- Consent & Policy Manager API
EDV Functions
- Confidential Storage
- Wallet as Client
- AS as Client
- Mobile / Cloud Sync
- Delegated Access
- Encrypted Indexes
- (Intel SGX) Implem’n
- SMPC Implementation
12
Authenticator Functions
- Biometric Lock
- (Single Sign-On) Authentication
- Non-repudiable Signature
- Recovery
- Redundancy
- Offline Functionality
- EDV Control
- AS Control
- Consent & Policy Manager API
Consent & Policy Manager Functions
- Biometric Lock
- (Single Sign-On) Authentication
- Non-repudiable Signature
- Recovery
- Redundancy
- Offline Functionality
- EDV Control
- AS Control
- Consent & Policy Manager API
EDV
13
Guardian
GNAP AS
Mobile Wallet
CouchDB
Resource Server
Encrypted Data
Vault
chosen by SP
Secure User Agent (RQ)
Institutional Client (RC)
Note: The roles of RO, RQ, AS, SP, and RC are defined per IETF GNAP.
The protocol connecting the roles may be GNAP or other.