Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Access and User Consent document #182

Closed
wants to merge 1 commit into from

Conversation

chrishowell
Copy link
Collaborator

@chrishowell chrishowell commented Jul 26, 2024

What type of PR is this?

documentation

What this PR does / why we need it:

Defines terms and keeps them consistent throughout, improves clarity in English writing.

Which issue(s) this PR fixes:

#98

Special notes for reviewers:

Changelog input

 release-note access-and-user-consent documentation update

Additional documentation

docs

@AxelNennker
Copy link
Collaborator

Hi @chrishowell
could you please split the PR into a "better English one" and one or more for consistent use of terms and better definitions?
I would like to get the easy stuff approved and then start the discussion on the rest. Which might still lead to some discussion. Thanks for the PR. I am a bit overwhelmed by it

@jpengar jpengar added documentation Improvements or additions to documentation ICM-Backlog labels Jul 29, 2024
@jpengar
Copy link
Collaborator

jpengar commented Jul 30, 2024

@chrishowell @AxelNennker This is a great contribution, thank you Chris!
I agree with Axel, it will be much easier to handle if we isolate the proposed changes in different PRs. The "better English" one will probably be the easiest to approve. However, the one about the terms and definitions (saying that I pretty much agree with the ones you propose), there is a specific #98 issue to revisit terms and definitions and I can imagine that it will require further discussions.

On the other hand, I've labeled the PR with ICM backlog as it would have to be addressed in the next release. We are already closing the second release candidate of current release 0.2.0-rc.2, which is only intended for bug fixes. Also, among the changes you suggested, some of them have greater impact than they look:

  • Changing the title of the Purpose section would change the link reference to that section, and would require updating existing references to that section in all other documents in all subprojects that point to it. That's not possible for this meta release at this stage.
  • Also, you propose changes to the info.description template, which is included in all CAMARA APIs. This is a very sensitive text to change, as it represents the ICM agreement between many participants. And this text is copied into all API specifications. So if it is changed, it would have to be carefully revised and updated in all API subprojects. So that would certainly be work for another release -> UPDATE: BTW, there is a specific issue to revisit this template *in the backlog The wording in the Mandatory template for info.description is unclear #178

@chrishowell
Copy link
Collaborator Author

Thanks for reviewing :) it's a bit difficult to split this into multiple PRs as the 'better English' comes with using defined terms..

@jpengar
Copy link
Collaborator

jpengar commented Sep 12, 2024

Thanks for reviewing :) it's a bit difficult to split this into multiple PRs as the 'better English' comes with using defined terms..

@chrishowell As discussed by the team in yesterday's WG call, in order to move things forward, could you split the content of this PR into three:

  • One focused on just updating the terms and definitions. So that the WG can agree on the terms to be used in the rest of the documentation. Please keep the same changes you propose in the PR.
  • Another editorial one, simply including the same "better English" changes you propose in this PR. You can assume for the moment that the terms and definitions are the ones you proposed. And then it may need some adjustments if something is changed in the previous PR.
  • And finally, another independent PR just for changes in the info.description template, which could also fix other issues like The wording in the Mandatory template for info.description is unclear #178.

@jpengar
Copy link
Collaborator

jpengar commented Oct 10, 2024

@jpengar
Copy link
Collaborator

jpengar commented Nov 4, 2024

@sebdewet @AxelNennker It's ok with you if I close this PR after the split?

Copy link
Contributor

@RandyLevensalor RandyLevensalor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the changes, but there seems to be a lot of capitalization of nouns, which are not proper nouns. I highlighted a few in this review, but didn't go through all of them.


The document covers aspects regarding CAMARA APIs access and the user consent management, which includes following concepts:
This document defines guidelines for the Operator's API Exposure Platform to manage CAMARA API access and when applicable, User Consent to comply with data protection requirements, and it introduces the formal concept of Purpose within an API invocation. Note that the document is predominantly based on concepts defined within GDPR regulations, however the proposed solution and concepts are generic and can by mapped to any relevant local data protection regulations.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This document defines guidelines for the Operator's API Exposure Platform to manage CAMARA API access and when applicable, User Consent to comply with data protection requirements, and it introduces the formal concept of Purpose within an API invocation. Note that the document is predominantly based on concepts defined within GDPR regulations, however the proposed solution and concepts are generic and can by mapped to any relevant local data protection regulations.
This document defines guidelines for the operator's API exposure platform to manage CAMARA API access and when applicable, user consent to comply with data protection requirements, and it introduces the formal concept of purpose within an API invocation. Note that the document is predominantly based on concepts defined within GDPR regulations, however the proposed solution and concepts are generic and can by mapped to any relevant local data protection regulations.

Some of this capitalization doesn't seem necessary.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RandyLevensalor
The capitalisation is intentional - it means the term has been defined elsewhere in the document (in this case, in the glossary section, though that itself is being updated in PR #212).

When capitalised in this way, it means the document is intentionally using the defined term, and this hopefully prevents others interpreting the term in a different way.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly, thanks @eric-murray. @RandyLevensalor As mentioned in #182 (comment), this PR #182 has been split into three PRs with the same changes for ease of handling. This PR should be closed and we can agree the necessary adjustments to the others.

This document includes following concepts:
- User identity, and how to identify the User.
- Application Service Provider (ASP) authentication and authorization, and how to authenticate the ASP's applications and authorize their access to CAMARA APIs.
- How Purpose applies to CAMARA APIs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- How Purpose applies to CAMARA APIs.
- How purpose applies to CAMARA APIs.

Not sure why "Purpose" is capitalized.

- User identity, and how to identify the User.
- Application Service Provider (ASP) authentication and authorization, and how to authenticate the ASP's applications and authorize their access to CAMARA APIs.
- How Purpose applies to CAMARA APIs.
- How to capture and store Consent when required, without materially degrading the End-User's experience of an ASP's Application.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- How to capture and store Consent when required, without materially degrading the End-User's experience of an ASP's Application.
- How to capture and store consent when required, without materially degrading the End-User's experience of an ASP's Application.

Capitalization

- Application Service Provider (ASP) authentication and authorization, and how to authenticate the ASP's applications and authorize their access to CAMARA APIs.
- How Purpose applies to CAMARA APIs.
- How to capture and store Consent when required, without materially degrading the End-User's experience of an ASP's Application.
- Policy enforcement to validate the existence and/or validity of Consent before authorizing access to a CAMARA API.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Policy enforcement to validate the existence and/or validity of Consent before authorizing access to a CAMARA API.
- Policy enforcement to validate the existence and/or validity of consent before authorizing access to a CAMARA API.

### Applying purpose concept in the authorization request

The mechanism for applying the concept of purpose in the authorization request in CAMARA is by using the standard `scope` parameter as defined in [Purpose as a scope](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#purpose-as-a-scope) section of the CAMARA Security and Interoperability Profile.
- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs.
- `Aggregator`: the party that aggregates CAMARA APIs exposed by operators, and exposes services that utilize these APIs to ASPs. An aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing operators' CAMARA APIs in an aggregated way, or an operator acting as an aggregator, i.e. an operator aggregating other operators' CAMARA APIs.


The mechanism for applying the concept of purpose in the authorization request in CAMARA is by using the standard `scope` parameter as defined in [Purpose as a scope](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#purpose-as-a-scope) section of the CAMARA Security and Interoperability Profile.
- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs.
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and Aggregators, providing authentication and authorization mechanisms, and End-User Consent management. The API Exposure Platform typically consists of at least an Auth Server and an API Gateway.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and Aggregators, providing authentication and authorization mechanisms, and End-User Consent management. The API Exposure Platform typically consists of at least an Auth Server and an API Gateway.
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and aggregators, providing authentication and authorization mechanisms, and End-User consent management. The API exposure platform typically consists of at least an Auth Server and an API gateway.

- `Aggregator`: the party that aggregates CAMARA APIs exposed by Operators, and exposes services that utilize these APIs to ASPs. An Aggregator can be a hyperscaler (e.g. Vonage, AWS, Azure, Google Cloud) offering its own services that consume CAMARA APIs, or exposing Operators' CAMARA APIs in an aggregated way, or an Operator acting as an Aggregator, i.e. an Operator aggregating other Operators' CAMARA APIs.
- `API Exposure Platform`: the Operator's platform for exposing CAMARA APIs to ASPs and Aggregators, providing authentication and authorization mechanisms, and End-User Consent management. The API Exposure Platform typically consists of at least an Auth Server and an API Gateway.
- `Application` or `Application Backend`: the ASP's software services that access CAMARA APIs.
- `Application Service Provider (ASP)`: the Legal Entity that provides the Application and/or services that consume CAMARA APIs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `Application Service Provider (ASP)`: the Legal Entity that provides the Application and/or services that consume CAMARA APIs.
- `Application Service Provider (ASP)`: the legal entity that provides the application and/or services that consume CAMARA APIs.

AxelNennker added a commit that referenced this pull request Nov 6, 2024
…ms-and-defs

PR #182 split - terms and definitions (part 1 of 3)
@jpengar jpengar closed this Nov 6, 2024
jpengar added a commit that referenced this pull request Nov 11, 2024
…ter-english

PR #182 split - better english improvements (part 2 of 3)
jpengar added a commit that referenced this pull request Dec 5, 2024
…o-description-template

PR #182 split - info.description template review (part 3 of 3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation ICM-Backlog spring25-candidate
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants