Creating an Ecosystem of Trusted Applications – Oauth2 Dynamic Client Registration
Creating An Ecosystem Of Trusted Applications (OAuth2 Dynamic Client Registration)
Wednesday 10H
Convener: Alan Viars (VIdentity)
Notes-taker(s): Thomas Berry
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
1. Notes received from Thomas Berry:
Use case: Health care applications can register with a lot of different data sources
Some ideas support this:
- UDAP Unified Data Access Profiles (Lewis Moss)
- Certifications and Endorsements for client applications
- Cert authority [endorsing body] signs software statement
- Links everything back to an X.509 cert authority
- Comment:
- - needs to follow trust models like “must encrypt”; must have a validation statement
- - need an authoritative source sign the app
- - Issuer string is resolving to issuer to validate the signature
- - Certificate renewal becomes a problem
- Pre-OAuth Entity Trust [POET] (Mark Scrimshire and Alan Viars)
- github.com/transparent health/poet/python-poetri
- assign a JWT with app signature
- Issuer is the issuer of the endorser;
- what the endorsement means is out of scope
- Comments:
- - more scalability
- - can only register if a (endorser) signed JWT is obtained
- - All endorsers must be white listed
- - PKI would allow you to trust a root where all endorsers are subordinate (?)
- - Health care uses a direct trust/trust bundle of endorsers/issuers
- - Application Governance problem
This is a similar use case to user consent for app to access data; endorser consent to app to dynamic registration and provide data
Endorser endorsing that company and its domain exists... but most endorsers don’t care. Who is curating of the apps?
Other efforts to establish code of conduct for applications presenting user data.
Companies want to vet the apps; won’t dynamically trust the apps
carinalliance.com: Apple, Microsoft, Google, etc.
Enabling consumers and their authorized caregivers to access more of their digital health information with less friction.