Delegation: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 39: Line 39:
|stipulation || || ||MAY
|stipulation || || ||MAY
|-
|-
|yada || || ||MAY
|jwk || key of the signer||include by value or by ref ||MAY
|-
|-
|signature || || ||MUST
|signature || JWS|| created by the sub's key||MUST
|-
|-
|}
|}


==References==
==References==

Revision as of 00:14, 25 July 2020

Full Title or Meme

Delegation allows the owner of access to a resource to give some subset of that ability to another party.

Context

  • The wiki page is focused on the need for a digital entity on the web to give some other party the ability to exercise some of the capability to some other digital entity.
  • In the case of human users the web they will have a User Agent through which they can express their intents on the web.
  • Some examples of delegation include:
    • A manager goes on vacation and provide with a temporary replacement the ability to control access to the division web site repository.
    • A person is declared unfit to manage their affairs by a court of competent jurisdiction and a guardian is appointed.
    • A parent and a child have the reversed case where the parent gives the child some ability to visit web sites are have age restrictions.
    • The president of the United States goes into surgery and passes control of the nuclear deterrent to the vice president.
    • A husband and wife give each other to make medical decisions for them with a defined set of limitations.
    • I add medical conditions to may smartphone so that any authorized EMT can view them if i am found comatose.

Use Cases

Actors

  • A valuable Resource that is hosted on a Resource Server. (Typically data, but it could also be a service API.)
  • The Resource Owner that controls access to the Resource.
  • The user of the Resource that receives the delegation token from the Resource Owner.
  • The Relying Party that needs access to the Resource.

Solutions

  • For this wiki the solution will be some sort of digital token that identifies the subject and is signed by the subject private key.
  • The follows shows the elements in json format that are included in the token.
  • The best practice for this token is to send it as a signed, but not encrypted jose formatted string with a JWS signature. This will allows the token to be embedded in the grant that is send to a resource server by the user.
Element Name Contents Explanation for category Cat
sub identifier of the RO MUST
user Identifier of the recipient of this grant Must be link to a signing key MUST
stipulation MAY
jwk key of the signer include by value or by ref MAY
signature JWS created by the sub's key MUST

References