OIP Security Model
Introduction to OIP Security Model
The OIP security model is a capability-based security framework that ensures secure access to objects and resources. It utilizes capability tokens, which are issued to tenants with specific scopes, such as row, rows, pfx, act, and read. The Model Context Protocol (MCP) is a related standard that connects models to servers, but OIP's security model has its own distinct properties, including time-to-live (TTL), uses, revocation, and risk ceilings.
Capability Tokens and Scopes
Capability tokens are issued to tenants with specific scopes, which define the level of access granted. The scopes include row, rows, pfx, act, and read. For example, a tenant with a scope of "row" can only access a specific row in a database, while a tenant with a scope of "rows" can access multiple rows. The OIP security model ensures that capability tokens are validated and verified before granting access to resources. The route to issue a capability token is POST /api/dispatch with a JSON body containing the tenant's information and the desired scope.
Time-to-Live (TTL) and Uses
Capability tokens have a time-to-live (TTL) and a limited number of uses. The TTL defines the duration for which the token is valid, and the number of uses defines how many times the token can be used before it expires. Once the token's TTL or uses are exhausted, it is automatically revoked. The receipt that proves the issuance of a capability token contains the token's TTL and number of uses.
Revocation and Risk Ceilings
Capability tokens can be revoked at any time, and the OIP security model ensures that revoked tokens are no longer valid. The model also includes risk ceilings, which define the maximum level of risk that can be taken by a tenant. If a tenant's risk exceeds the defined ceiling, their capability token is automatically revoked. The route to revoke a capability token is POST /api/dispatch with a JSON body containing the token's ID.
Tenancy and Fail-Closed Errors
The OIP security model includes a tenancy system, which ensures that each tenant's resources and data are isolated from other tenants. The model also includes fail-closed errors, which ensure that if an error occurs, the system defaults to a secure state, denying access to resources rather than granting it. The receipt that proves the issuance of a capability token contains the tenant's information and the token's scope.
Example and Receipt Rule
For example, a tenant can request a capability token with a scope of "row" and a TTL of 1 hour using the route POST /api/dispatch with a JSON body containing the tenant's information and the desired scope. The receipt that proves the issuance of the capability token will contain the token's ID, TTL, and number of uses. The receipt rule is that the receipt must be returned at /api/dispatch?receipt=inv_ID, where inv_ID is the ID of the invocation.
Conformance Rule
The conformance rule for the OIP security model is that all capability tokens must be issued and validated according to the defined scopes, TTL, and uses. The model must also ensure that revoked tokens are no longer valid and that risk ceilings are enforced. The conformance rule can be tested using the curl command against the https://miscsubjects.com/api/dispatch route.