RFC002 Add the NutsEmployeeIdentity means #256
Conversation
stevenvegt
changed the title
rfc/rfc002-authentication-token.md
Outdated
|
|
||
| The NutsEmployeeIdentity method is an authentication _means_ which allows a care organisation to assert the identity of the current user. The care organisation uses the information of the current user session to present the user with a statement about its identity and asks the user to confirm this. After confirmation this bundle of information is singed with the care organisation's public key. | ||
|
|
||
| This method makes it possible to assert a user identity without the need for a personal authentication means. This puts the care organisation in the role of identity issuer instead of a trusted third party. A use-case (Bolt) can choose to allow this authentication under certain (low risk) circumstances which still require a person to be authenticated in order to comply with the requirements of the [NEN7513](https://www.nen.nl/nen-7513-2018-nl-245399)(Dutch standard for logging in context of medical ICT). |
There was a problem hiding this comment.
Just call it "applicable legislation"? So the rfcs remain relatively free of national context?
There was a problem hiding this comment.
I made it an example. Since it is pretty relevant and there are more national things in this spec such as IRMA anyway.
rfc/rfc002-authentication-token.md
Outdated
| "credentialSubject": { | ||
| "@type": "EmployeeRole", | ||
| "identifier": "481", | ||
| "roleName": "Verpleegkundige niveau 2", |
There was a problem hiding this comment.
we can't standardize identifier and roleName yet. This is not part of the current problem and will open up discussions that are not needed at this point.
There was a problem hiding this comment.
It is the medewerkernummer, which ensures a unique identifier. I improved the spec to have either an unique identifier or an email address. The combination initials and family name is not guaranteed unique. I suspect the employee identifier is probably more available than an email address.
I made the roleName optional.
rfc/rfc002-authentication-token.md
Outdated
| 3. Personal information about the person (user) | ||
| 4. The employee role which contains information about the relationship between the care organisation and the user | ||
|
|
||
| #### 7.3.2 Challenge |
There was a problem hiding this comment.
A credential specification as input is a bit weird. What if we use the presentation exchange format? That would actually also be helpful for any OIDC capable wallet.
There was a problem hiding this comment.
I don't think we want to write a parser for that at the moment. Also, I think this is technically the credential, issued by the care provider which we let the user present by "signing the contract". By adding a @context, all these fields have a type and meaning. I used the relational model from schema.org, no custom fields were added.
Not sure how a new RFC will solve that problem? I don't like that option since it make thinks harder to find. Also, we explicitly state in section 7.1:
Which is what we do now. |
More information about the request fields Adds evidence in response made some fields optional PR feedback
Well, then we would have to have a conversation about how we create specifications somewhere in the future. RFCs are not meant to change. So we either use RFCs or have versioned specs. But not a mix. |
|
A simplification for the credential could be:
This would remove some if-this-then-that logic. email is really only needed as unique identifier. |
rfc/rfc002-authentication-token.md
Outdated
| "evidence": { | ||
| "type": "NutsBrowserSession", | ||
| "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62", | ||
| "ipAddress": "127.0.0.1" |
There was a problem hiding this comment.
The evidence is debatable. This data is new as opposed to the current authentication methods. What is the requirement to add this data?
rfc/rfc002-authentication-token.md
Outdated
| "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62", | ||
| "ipAddress": "127.0.0.1" | ||
| }, | ||
| "proof": { |
There was a problem hiding this comment.
"Normally" the proof is signed by the credentialSubject. That is a problem in this case. We can either:
- make a custom presentationType that indicates that the proof signature is from the same party as the credential issuer. Use a custom validator for that.
- issue the credential to a did:key and sign it with that key. That would then be an ephemeral key, only used once. Can reuse current proof validation. We would have to add the did:key method though.
So either throw away code or a little bit of extending functionality.
rfc/rfc002-authentication-token.md
Outdated
| * The `credentialSubject` which contains the following information: | ||
| 1. The `@type` which contains the `EmployeeRole` type to indicate the contents describes a EmployeeRole as defined by schema.org | ||
| 2. The `identifier` (optional) which contains the employee number or username. This identifier MUST uniquely identify one natural person within the care organisation. If this number is not available, the email address field of the `Person` MUST be used. | ||
| 3. The `roleName` (optional) which contains the name of the role of the person during this user session. |
There was a problem hiding this comment.
Why add this? Is the verifying party supposed to do something with it? If so, is it standardized? (if not, it's probably useless for the verifying party).
rfc/rfc002-authentication-token.md
Outdated
| 1. The `@type` which contains the Person type. | ||
| 2. The `initials` which contains the initials of the person. | ||
| 3. The `familyName` which contains the last name of the person. | ||
| 4. The `email` (optional) which contains the email address of the person. If the email is not available, the `identifier` field of `EmployeeRole` MUST be present. |
rfc/rfc002-authentication-token.md
Outdated
| @@ -401,3 +401,129 @@ Beside the mandatory VP fields, the following applies: | |||
| * The `proof.type` field MUST equal `NutsUziSignedContract`. | |||
| * The `proof.proofValue` field MUST contain the JWT in its compact serialization form as described in \[[RFC7515 section 3.1](https://tools.ietf.org/html/rfc7515#section-3.1)\]. | |||
|
|
|||
| ### 7.3 NutsEmployeeIdentity | |||
|
|
|||
| The NutsEmployeeIdentity method is an authentication _means_ which allows a care organisation to assert the identity of the current user. | |||
There was a problem hiding this comment.
"a care organization", is this the care organization making a statement on the user's identity, or the party verifying it?
rfc/rfc002-authentication-token.md
Outdated
| The care organisation uses the information of the current user session to present the user with a statement about its identity and asks the user to confirm this. | ||
| After confirmation this bundle of information is singed with the care organisation's private key. | ||
|
|
||
| This method makes it possible to assert a user identity without the need for a personal authentication means. |
There was a problem hiding this comment.
with lower level of assurance (LoA). Now it's only a note, but it's a very important trait of this authentication means.
rfc/rfc002-authentication-token.md
Outdated
| The proof section MUST contain the `challenge` from the request. | ||
|
|
||
| To add further accountability, an `evidence` SHOULD be added. | ||
| This object MUST be of the type `NutsBrowserSession` which SHOULD contain the `user-agent` field and the `ipAddress` field. |
rfc/rfc002-authentication-token.md
Outdated
| The response MUST contain a signed VerifiableCredential with a signature from the issuing care organisation. | ||
| This credential is contained in a VerifiablePresentation. | ||
| The presentation contains a proof with a signature. | ||
| Since the user doesn't have a private key, the private key from the care organisation is also used to sign the presentation. |
rfc/rfc002-authentication-token.md
Outdated
| } | ||
| ``` | ||
|
|
||
| #### 7.3.3 Response |
There was a problem hiding this comment.
What should a verifier check, on the response?
rfc/rfc002-authentication-token.md
Outdated
| ### 7.3 NutsEmployeeIdentity | ||
|
|
||
| The NutsEmployeeIdentity method is an authentication _means_ which allows a care organisation to assert the identity of the current user. | ||
| The care organisation uses the information of the current user session to present the user with a statement about its identity and asks the user to confirm this. |
There was a problem hiding this comment.
| The care organisation uses the information of the current user session to present the user with a statement about its identity and asks the user to confirm this. | |
| The attesting care organisation uses the information of the current user session to present the user with a statement about its identity and asks the user to confirm this. |
rfc/rfc002-authentication-token.md
Outdated
| @@ -401,3 +401,129 @@ Beside the mandatory VP fields, the following applies: | |||
| * The `proof.type` field MUST equal `NutsUziSignedContract`. | |||
| * The `proof.proofValue` field MUST contain the JWT in its compact serialization form as described in \[[RFC7515 section 3.1](https://tools.ietf.org/html/rfc7515#section-3.1)\]. | |||
|
|
|||
| ### 7.3 NutsEmployeeIdentity | |||
There was a problem hiding this comment.
UZI and IRMA means are called just so, NutsEmployeeIdentity is the name of the credential. I think the means should be called something along the line of "Self-claimed Employee Identity" or just "Employee Identity".
Also; should be now add levels of assurances to the methods we spec'd? (or refer to a framework we use, e.g. eIDAS(2)?)
rfc/rfc002-authentication-token.md
Outdated
| 2. The `credential` which contains the following information: | ||
| * The `@context` which MUST contain the following urls: | ||
| 1. `http://schema.org/`: contains the Organisation, employeeRole and person types. | ||
| 2. `https://nuts.nl/credentials/v1`: contain definition of the `NutsEmployeeIdentityCredential` type. |
There was a problem hiding this comment.
actually a bit of an oddball VC since it's a VC for an employee, but comes from the wallet of the care organization (rather than a personal wallet). It's sort of a shortcut since the employee doesn't have an SSI wallet with an EmployeeIdentity credential?
There was a problem hiding this comment.
Unless you give the employee a ephemeral wallet (did:key)?
rfc/rfc002-authentication-token.md
Outdated
| * The `issuer` which contains the DID of the care organisation. This DID MUST resolve to a DID Document which contains the public key used to sign the credential. | ||
| * The `credentialSubject` which contains the following information: | ||
| 1. The `@type` which contains the `EmployeeRole` type to indicate the contents describes a EmployeeRole as defined by schema.org | ||
| 2. The `identifier` (optional) which contains the employee number or username. This identifier MUST uniquely identify one natural person within the care organisation. If this number is not available, the email address field of the `Person` MUST be used. |
There was a problem hiding this comment.
Maybe this should be in the "evidence" field? You could see it as evidence of the existence of the employee in the organization's user directory
This PR is a RFC for the
NutsEmployeeIdentitywhich allows a care organisation to construct a claim about a current logged-in user.Since the user identity is issued by the care origanisation instead of a trusted third party (such as the government), it has a low trust level, but also comes with a simpler UX. It can be used in situations where a lower level of trust is appropriate and and then removes an extra burden from the care givers of using a personal authentication device.