D4 - User access
Integration with IETF GNAP
Last updated
Was this helpful?
Integration with IETF GNAP
Last updated
Was this helpful?
Direct user access shouldn't be allowed (and priviledged access in particular). Instead, in accordance with standards such as IEC 62443, we advocate that the device makes connection to remote services if required (for instance to check for updates). Users may access a cloud based secure digital twin, such as .
Therefore the important requirement is that devices embed:
a mutual authentication protocol and an end-to-end encrypted channel, to automatically send data to the cloud (see D3 deliverable)
an indirect interaction with end-users (e.g. for enrollment, update, etc.), in which the device acts as the client for a protocol such as IETF GNAP.
A goal for GNAP is to enable , enabling better privacy for patients and delegation between healthcare professionals. Another major improvement compared to existing protocols such as OAuth2 is that GNAP also enables to work with identity wallets.
All these prototypes are available as opensource projects.
The remote update includes an authorization layer based on GNAP.
As a result of that work, we recently started an initiative to standardize biscuit tokens (IETF SEC DISPATCH).
Contrary to OAuth2 (and in particular), handling the authorization server as a token factory enables many types of interactions, including communications with native devices.
We made a that demonstrate the flexible delegation of rights within an organisation, using biscuit tokens (that are now integrated into GNAP):
The (of which I'm co-editor). We published a prototype implementation of the IETF GNAP server in javascript, and is currently being rewritten in rust, as well as a research article at the . The final paper shall be published by . A longer version is available at .
