Reviews on Policy Server Contribution
As there is no PullRequest created, I will present my thoughts on an Issue, regarding the different documents proposed:
General Comments:
- Could you offer an example of a Policy for a better understanding?
- If policies are intended to be defined in Natural Language, when are they presented to the Human Actors (on both the Users and the SPs parts)?
- I get the feeling that policies are stablished for access decision, and that they would add a concrete additional business layer to build upon a verifier. I think I miss a little bit the relation between a Policy and the related Verifiable Presentation. Could you provide any example or algorithm explaining that?
Regarding the proposed Architecture:
-
Access Decision API: I wouldn't name it like that. I understand that API represents some analogous functionality to the VC-HTTP-APIS part of the Verifier. I think Access Decision should be a responsability of some superior application layer.
-
To allow interoperability, the communication protocol to request and provide Verifiable Presentations (either between the User's App and the SP's App, or between the User's App and the Wallet, depending on how the integrations are defined) need also to be included on the considerations. Otherwise, we wouldn't achieve to have wallets of different providers to interact indistinctly with the SP's App unless he provides ad-hoc integrations - which is exactly what we try to avoid -.
-
The communication with the policy server is performed from the Universal Verifier and the wallet: what kind of data format is handled there? Machine-readable language? How is the Natural Language applied?
-
What would the cardinality and the relation between Policy servers and Universal verifiers be? Can a Universal Verifier use multiple Policy Servers? Should it provide one?
-
Should the protocol to map a required policy to a Verifiable Presentation be unique? If not, how would the universal verifier be sure that it has been correctly enforced?
Regarding the UV Calls:
- I fail to understand the communication between the VC and the SP Application, especially to know how the processes are triggered.
- I assume there is also a missing connection from the Wallet to the Policy Server to retrieve the specific policy.
It seems that 1 and 2 are solved by the application Swimlane, what is the relation of that file to the UVCalls?
- Is there any kind of authentication? Could there be private policies on any business case?
Regarding CNL Architecture
- I find an interesting approach of the conversion, specially the XACML relation. However, it seems focused on Access Decision - which I would consider a specific use-case of the Verifier.