Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Whose access controls enforce data sharing across social network services? (20070718)
With independent siloed Internet services, a user must manually switch from viewing one service's web site to viewing that of another service.
As these silos add oft-requested APIs to provide external applications access to the siloed data, it allows for the possibility of interaction between services. For example, the experience with the portal Facebook discussed by Gerald Beuchelt Gerald Beuchelt in his blog post "Facebook ... hmm" and Chris Ceppi in Facebook's Pointer Platform.
If a user of services A and B grant service C the right to access the user's profile as held in B and their profile as held in A, in order to cause their data from A to show up in B, then the user's access control requests should be respected regardless of where the data is being displayed.
Problems arise, however, if access control checks are decoupled from the data access, and applications using an API can bypass the fine-grained access control checks which a service implements for its own rendered views.
In some current implementations, the user of A can allow an independent application C the right to access their data through the API, but when this occurs, the fine-grained access controls which the user placed on their data merely becomes "advisory" - the application C might not interpret the access control at all, or if it does, might not implement them in line with the user's expectations.
For example, an application that is allowed access to read a user's Flickr photos and display them in the user's Facebook page to the user's Facebook friends, might by default display photos that the user marked as "private" in Flickr (violating the user's access controls), since Flickr doesn't know what the application is planning to display the photos to third parties.
- What should be the appropriate points for access control decisions to be made when data is transferred between 'mashedup' Internet services?
- If access control statements or security capabilities are to be transferred between applications, in what format should they be encoded? If, instead, the statements/capabilties are not to be transferred, but the decisions made at the source of the data, in what format should the application's intentions to that data be described?
- How should the differences in semantics between the applications be handled? A "friend" concept in one social network service is not necessarily applicable as a "friend" in another service, since the term has become overloaded.
- Is there scope for, for example, one of the Liberty protocols to be of use here?
Perhaps this might be discussed at a DataShareCamp (the idea of a conference for discussing data sharing between social network sites through services such as OpenID AX was proposed by Marc Canter in his blog post "DataShareCamp").