1C/ Guardian Agent vs Expert Agent / Adrian G

From IIW

Session 1C

Guardian Agent vs. Expert Agent


Session Convener: Adrian Gropper

Notes-taker(s): Christopher Kula


Tags / links to resources / technology discussed, related to this session:

https://datatracker.ietf.org/wg/gnap/documents/

https://docs.google.com/presentation/d/1Bn06OC5D8jlLbhOz53rFEjbKdh_kw9GZPCosiAEMs38/edit#slide=id.p


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Previous work: definition wallets vs. agents


Open Wallet Foundation (Linux Foundation)

  • new efforts such as driver's licences
  • not a standards body: instead building a library of OS software


Discussion: interoperable protocols


Issue arises: what is a wallet vs. an agent?


Self-sovereignty can apply to an individual (as a right) -- it can also mean something that you empower with control. Blockchains embody this principle.


Everything has to do with delegation.


Guardian


Somebody like the parent of a minor, or taking care of an elder. May or may not be a fiduciary.


A guardian is not assumed to be an expert.


1:1 relationship between a guardian and an identity. [Alan K. questions...]


Expert


1:many [Considered the term "aggregator"]


Examples: Money manager Physician Lawyer Gang Representative (e.g. Congress)


Terms


Human

  • Accountable in the legal sense


Hardware

  • Has a biometric component
  • [Q: Is this required? A: pretty much yes]


Agent

  • Software in the cloud
  • Does not have a biometric link
  • [Can the agent be held responsible?]


Resource Server


Delegation:


Protocols that enable -

The ability to give a a subset of one's rights to another [sth.] Principle of Least Privilege


The IT community tries to apply the same solutions to id'ing people at to barcoding things. Bad things happen.


Q: example of misuse

A: Google Docs 

   The bus. model is built around: when you use you are forced to delegate your privileges for access.
   All "hyperscale" platforms: Twitter, FB, etc.

Tortured attempts. to shoehorn SSI into OAuth.


Q: How do we make data interoperable? What is the objective of this session?

A: To speed up the process of interop.


Open identity auth was not enforced in design of backbone providers.


Q: Where do to want that interop to be?

A: Ex.: In the hardware layer there are (at least) two camps. 

 1) Link between biometrics and human is a human right. Hope that Apple, Google, etc. give it away.

 2) Google and Apple etc should not be able/allowed to participate in that interaction.

Alan: Do you require wallet registration before you recognize a wallet, or do you have a protocol?


Example implementation: GNAP (Grant Negotiation and Authorization Protocol)


How can this (present) conversation help GNAP?

  • Nobody in that community talks about biometrics.
  • We should treat people differently than things.


Difference between GA and EA:

  • Pet peeve: asymmetry of power between individuals and the resource server.
  • To deal with that, you need to bring in an expert / union / gang / rep.


Orig. sin of SSI: implying that members of the trust triangle are equal peers. Assumption is unfair.


Q: Even if biometrics is assumed, the format (template) -- e.g. hash of facial features -- is not uniform.

A: Non-proprietary templates.


Alt term: to expert: specialist?


Mitigations to OAuth or GNAP: 

 1) Unrestricted choice of agent

 2) Capabilities, i.e. choice in regards to delegation

 3) Token exchange
Retrieved from "https://iiw.idcommons.net/index.php?title=1C/_Guardian_Agent_vs_Expert_Agent_/_Adrian_G&oldid=24538"