GNAP at IETF-111

July 26, 2021.

Chairs: Yaron Sheffer, Leif Johansson and Kathleen Moriarty

Minute Taker: Kristina Yasuda



GNAP interaction with VC-HTTP API W3C work, Adrian Gropper

Intro - Chief Tech Officer at a start-up (HIE of One), leads implementation of SSI protocols; has been involved in transition from UMA 1.0 -> 2.0

- Will mainly cover Human Rights perspective on protocol design
- Efficiency shifts power to the sovereigns, not only individuals, but also enterprises
- DID data model standard alone is not enough, also need protocol standards, especially for Human Rights considerations

Human Rights Concerns

What is Self-sovereign identity (SSI)?

The future of the Internet and how to stop it J.Zittrain adaptation

W3C and DIF Protocol [sic: SIOP is OIDF] Work

Five questions
- How many authz protocols does the internet need? (other than GNAP)
- The problem with OAuth is lock-in and censorship (via client credentials)
- Self-Sovereign and Fiduciary agents
- How to detach "chain of custody" from verification (w/o biometrics)?
- Is GNAP the "narrow waist" of SSI?



Core protocol and Resource Server drafts - editors (Justin, Aaron, Fabian)

Update: WG now has two drafts.

Core draft update (-04 to -06)

Update on a new draft (Resource Server draft)

Mixed-up attack discovered researchers at Chalmers University of Technology in Sweden

Removed/modified features

Drafts next steps


General discussion

If the authentication exchange between the user and the AS is also protected using TLS, then it is no more necessary to manage client instance keys.
This would allow many simplifications.
- Aaron: have not seen how only using TLS can bring hte same lv of security as client keys protection. Client instance keys allows to bind access token to a particular instance, so that it cannot be replayed. with just HTTPS you cannot do that.
- Jamey Sharp: suggestion refine generic HTTP resource type, or to have IANA registry for resource types, so that you can have common ones, ie AS discovery.
- Resource and access rights, types are left unassessed here, since assumes client knows what kind of resources it is asking for.
- Can we use GNAP for HTTP resources?
- Justin: intersting. notion of registering the types has been discussed. consensus, do not want to require registration, but having a catalogue is useful - IANA is not for that.

WG Next steps