[Openid-specs-native-apps] privacy enabling options in NAPPS

Mike Varley mike.varley at securekey.com
Wed Jan 15 14:51:40 UTC 2014 

Hello all,

After corresponding with John (unintentionally off list, as I tried to post some a2p3 details and got hung up) we have come up with the following direction for NAPPS to support ‘privacy enabled applications’: we won’t try and absorb anything from the a2p3 spec, but rather tweak the NAPPS spec to support a ‘privacy enabled’ profile (to be developed in the future as needed).

There are a lot of interesting/complex issues around supporting a privacy enhanced trust ecosystem like a2p3 describes, and there is little gain in trying to address that in the NAPPS spec. Rather, NAPPS should be defined in a way that a future spec / spec set can address this stuff.

As such, there are only a few proposed changes to NAPPS that are being proposed:

1.) separate Authentication from Authorization - this *may* be handled by two distinct entities. This can apply to enterprise situations as well, and John pointed out that the current NAPPS spec doesn’t explicitly couple them together anyway.
- from a privacy perspective, this allows an entity to provide user authentication assertions, without knowing what resources the authentication is for.

2.) allow for multiple Secondary Tokens to be requested from + delivered back to the App. This may require a change to the Authorization Request in 7.1.1 and AppInfo description + response in 7.2.2  — TBD.
- from a privacy perspective, this allows allows applications to co-relate data from various sources, without those resources having a relationship defined anywhere outside the application space. Resource servers may still have access control policies for which applications can obtain data.

John and I feel this is a much better way forward for the NAPPs spec, as the changes can apply to any NAPPS environment (enterprise, commercial, privacy enhanced) and avoids the spec from getting mired in pedantic details specific to privacy issues.

Do others feel more comfortable with this approach? Are there any concerns?

Thanks, 

MV

More information about the Openid-specs-native-apps mailing list