Creating an Ecosystem of Trusted Applications – Oauth2 Dynamic Client Registration

From IIW

Creating An Ecosystem Of Trusted Applications (OAuth2 Dynamic Client Registration)


Wednesday 10H

Convener: Alan Viars (VIdentity)

Notes-taker(s): Thomas Berry


Tags for the session - technology discussed/ideas considered:



Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


1. Notes received from Thomas Berry:


Use case: Health care applications can register with a lot of different data sources


Some ideas support this:


UDAP Unified Data Access Profiles (Lewis Moss)
Certifications and Endorsements for client applications
https://www.udap.org


Cert authority [endorsing body] signs software statement
Links everything back to an X.509 cert authority
Comment:
- needs to follow trust models like “must encrypt”; must have a validation statement
- need an authoritative source sign the app
- Issuer string is resolving to issuer to validate the signature
- Certificate renewal becomes a problem



Pre-OAuth Entity Trust [POET] (Mark Scrimshire and Alan Viars)
github.com/transparent health/poet/python-poetri
assign a JWT with app signature
Issuer is the issuer of the endorser;
what the endorsement means is out of scope


Comments:
- more scalability
- can only register if a (endorser) signed JWT is obtained
- All endorsers must be white listed
- PKI would allow you to trust a root where all endorsers are subordinate (?)
- Health care uses a direct trust/trust bundle of endorsers/issuers
- Application Governance problem


This is a similar use case to user consent for app to access data; endorser consent to app to dynamic registration and provide data


Endorser endorsing that company and its domain exists... but most endorsers don’t care. Who is curating of the apps?


Other efforts to establish code of conduct for applications presenting user data.


Companies want to vet the apps; won’t dynamically trust the apps


carinalliance.com: Apple, Microsoft, Google, etc.

Enabling consumers and their authorized caregivers to access more of their digital health information with less friction.