Third-party Share Creation Notification

[michielbdejong]

I'm working on a use case where a trusted third party application might inform an OCM server that a resource was shared with it.
This means the Share Creation Notification would not be signed. What do you think?

[glpatcern]

This means the Share Creation Notification would not be signed. What do you think?

In fact, in #180 I sketched another possible use case that would follow a similar pattern. And in first approximation, we also think not to sign the Share Creation Notification request, in order to keep the "OCM client" logic in that third-party application to the bare minimum - boiling down to sending a single HTTP POST request, as opposed to exposing a /.well-known/ocm endpoint with a public key for the recipient to validate.

In both cases the question I think is "how can we establish that a third party application is trustworthy"? This could be either delegated to the receiver, or via some sort of configured allow-list. Anyhow I think it makes sense to contemplate such scenarios.

[mickenordin]

If you are trusted, could you not as the server to sign for you, and or send the notification on your behalf?

[glpatcern]

Eventually, for the case in #180 we are settling into having the third-party application expose a /.well-known/ocm endpoint, such that we can have a public key as well in a final implementation. Nevertheless, not sure what @mickenordin meant by ask the server to sign for you (I guess?): at least for our case, the third-party system does not have any OCM server capability and would only be a kind of well-known client.