Delegation: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 37: Line 37:
|user || Identifier of the recipient of this grant || Must be link to a signing key||MUST
|user || Identifier of the recipient of this grant || Must be link to a signing key||MUST
|-
|-
|stipulation || || ||MAY
|stipulation || structure||limits the scope of the grant ||MAY
|-
|-
|jwk || key of the signer||include by value or by ref ||MAY
|jwk || key of the signer||include by value or by ref ||MAY

Revision as of 00:14, 25 July 2020

Full Title or Meme

Delegation allows the owner of access to a resource to give some subset of that ability to another party.

Context

  • The wiki page is focused on the need for a digital entity on the web to give some other party the ability to exercise some of the capability to some other digital entity.
  • In the case of human users the web they will have a User Agent through which they can express their intents on the web.
  • Some examples of delegation include:
    • A manager goes on vacation and provide with a temporary replacement the ability to control access to the division web site repository.
    • A person is declared unfit to manage their affairs by a court of competent jurisdiction and a guardian is appointed.
    • A parent and a child have the reversed case where the parent gives the child some ability to visit web sites are have age restrictions.
    • The president of the United States goes into surgery and passes control of the nuclear deterrent to the vice president.
    • A husband and wife give each other to make medical decisions for them with a defined set of limitations.
    • I add medical conditions to may smartphone so that any authorized EMT can view them if i am found comatose.

Use Cases

Actors

  • A valuable Resource that is hosted on a Resource Server. (Typically data, but it could also be a service API.)
  • The Resource Owner that controls access to the Resource.
  • The user of the Resource that receives the delegation token from the Resource Owner.
  • The Relying Party that needs access to the Resource.

Solutions

  • For this wiki the solution will be some sort of digital token that identifies the subject and is signed by the subject private key.
  • The follows shows the elements in json format that are included in the token.
  • The best practice for this token is to send it as a signed, but not encrypted jose formatted string with a JWS signature. This will allows the token to be embedded in the grant that is send to a resource server by the user.
Element Name Contents Explanation for category Cat
sub identifier of the RO MUST
user Identifier of the recipient of this grant Must be link to a signing key MUST
stipulation structure limits the scope of the grant MAY
jwk key of the signer include by value or by ref MAY
signature JWS created by the sub's key MUST

References