Integrity of `skos:preflabel` and `skos:prefdefinition`

Question

Integrity of `skos:preflabel` and `skos:prefdefinition`

tomhgmns opened this issue 2 years ago · 4 comments

We are currently implementing the interop spec into use.id, but are concerned about relying on skos:preflabel and skos:prefdefinition of the Access Need Groups to render the UI of the authz agent.

This is because a malicious party might create a mismatch between those two fields and the actual access requests.

For example, I could present the following access needs group:

skos:preflabel: "Read access to your shopping history"
In reality, my app asks permission to read the user's medical data

Has the panel considered this situation?

We are thinking to solve this issue by putting a human readable name at the shape tree itself...

Answer 1 · 2022-09-08T11:49:09.000Z

Yes this scenario was considered and has been solved already in the shape tree specification. The shape tree definition includes a similar description of what the data is. So regardless of what the access need description is, the data that is being requested is always present it based on the shapetree definition.

…

On Sep 8, 2022, 7:38 AM -0400, Tom Haegemans ***@***.***>, wrote: We are currently implementing the interop spec into use.id, but are concerned about relying on skos:preflabel and skos:prefdefinition of the Access Need Groups to render the UI of the authz agent. This is because a malicious party might create a mismatch between those two fields and the actual access requests. For example, I could present the following access needs group: • skos:preflabel: "Read access to your shopping history" • In reality, my app asks permission to read my medical data Has the panel considered this situation? We are thinking to solve this issue by putting a human readable name at the shape tree itself... — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

Answer 2 · 2022-09-08T12:04:29.000Z

Thanks for the answer, Justin! We'll rely on the ShapeTree definition then!

Answer 3 · 2022-09-08T14:12:00.000Z

Great timing @tomhgmns I'm also implementing it and today should have all the code ready, that combines human-readable information from access need descriptions and shape tree descriptions. I plan to push that code down to sai-js as soon as it fits the need of the authorization agent.

Answer 4 · 2022-09-28T01:16:13.000Z

I'll look into adding what we have discussed here into the Security Considerations section.